GCP Professional Cloud DevOps Engineer Cert Path

Google Cloud Professional Cloud DevOps Engineer Certification

Google Cloud – Professional Cloud DevOps Engineer Certification Learning Path

📋 Last Updated: June 2026 — Updated with current exam guide (5 domains), Cloud Deploy, deprecated services (Cloud Debugger shutdown, Cloud Source Repositories end-of-sale, Container Registry shutdown), GKE Autopilot, Workload Identity Federation, Ops Agent, Managed Service for Prometheus, and OpenTelemetry.

Continuing on the Google Cloud Journey, glad to have passed the 8th certification with the Professional Cloud DevOps Engineer certification. Google Cloud – Professional Cloud DevOps Engineer certification exam focuses on almost all of the Google Cloud DevOps services with Cloud Developer tools, Operations Suite, and SRE concepts.

Google Cloud – Professional Cloud DevOps Engineer Certification Summary

  • Has 50-60 questions to be answered in 2 hours.
  • Certification is valid for 2 years from the date of passing.
  • Covers a wide range of Google Cloud services mainly focusing on DevOps toolset including Cloud Build, Cloud Deploy, Artifact Registry, Cloud Operations Suite with a focus on monitoring and logging, and SRE concepts.
  • The exam is heavily SRE-focused (~28% of the exam) — understanding SLI/SLO/error-budget design, toil reduction, and incident management is essential.
  • The exam covers 5 domains:
    • Applying site reliability engineering principles to a service (~28%)
    • Building and implementing CI/CD pipelines for a service (~24%)
    • Applying service monitoring strategies (~22%)
    • Optimizing service performance (~13%)
    • Managing service incidents (~13%)
  • The exam uses:
    • Cloud Operations (Cloud Monitoring & Logging) and does not refer to Stackdriver.
    • Artifact Registry instead of Container Registry (which was shut down in March 2025).
    • Cloud Deploy as the managed CD service — this is a key exam topic.
    • Ops Agent instead of legacy Monitoring/Logging agents.
  • There are no case studies for the exam.
  • GKE knowledge is essential — deployments, services, autoscaling, and Workload Identity Federation for GKE are all tested.
  • As mentioned for all the exams, Hands-on is a MUST. If you have not worked on GCP before, make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands.

Google Cloud – Professional Cloud DevOps Engineer Certification Resources

Google Cloud – Professional Cloud DevOps Engineer Certification Topics

Developer Tools – CI/CD

  • Google Cloud Build
    • Cloud Build integrates with GitHub, GitLab, Bitbucket, and Cloud Source Repositories (legacy) and can be used for Continuous Integration and Deployments.
    • Cloud Build can import source code, execute build to the specifications, and produce artifacts such as Docker containers or Java archives.
    • Cloud Build can trigger builds on source commits using 2nd gen repository connections (GitHub, GitLab, Bitbucket) or legacy 1st gen triggers.
    • Cloud Build build config file specifies the instructions to perform, with steps defined for each task like the test, build, and deploy.
    • Cloud Build step specifies an action to be performed and is run in a Docker container.
    • Cloud Build supports custom images as well for the steps.
    • Cloud Build integrates with Pub/Sub to publish messages on build state changes.
    • Cloud Build Private Pools provide dedicated, customer-owned build infrastructure for builds requiring VPC connectivity or enhanced security.
    • Cloud Build generates SLSA Level 3 build provenance for artifacts stored in Artifact Registry, providing verifiable supply chain security metadata including image digests, source locations, and build arguments.
    • Cloud Build should use a Service Account with a Container Developer role to perform deployments on GKE.
    • Cloud Build uses a directory named /workspace as a working directory and the assets produced by one step can be passed to the next one via the persistence of the /workspace directory.
  • Google Cloud Deploy (Managed CD)
    • Cloud Deploy is a managed, opinionated Continuous Delivery service that automates delivery of applications to a series of target environments (dev → staging → production).
    • Cloud Deploy uses Skaffold for rendering and deploying Kubernetes manifests or Cloud Run services.
    • Cloud Deploy supports deployment to GKE, Cloud Run, and GKE Enterprise targets.
    • Cloud Deploy supports multiple deployment strategies: standard (rolling), canary, and blue/green deployments.
    • Cloud Deploy canary deployments allow progressive rollouts with configurable traffic percentages (e.g., 10% → 50% → 100%).
    • Cloud Deploy supports automated promotion between targets when a release succeeds in the previous environment.
    • Cloud Deploy supports deploy verification — automated tests that run after deployment to validate the release before promotion.
    • Cloud Deploy integrates with Cloud Build (CI triggers release creation) and Binary Authorization (policy enforcement).
    • Hint: For managed, structured delivery pipelines with progressive rollout to GKE/Cloud Run, choose Cloud Deploy over Spinnaker or custom scripts.
  • Binary Authorization and Software Supply Chain Security
    • Binary Authorization provides software supply-chain security for container-based applications. It enables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.
    • Binary Authorization uses attestations to verify that an image was built by a specific build system or continuous integration (CI) pipeline.
    • Binary Authorization integrates with Cloud Build’s SLSA provenance to verify build authenticity.
    • Artifact Analysis (formerly Container Analysis) helps scan images for vulnerabilities.
    • Hint: For security and compliance reasons if the image deployed needs to be trusted, use Binary Authorization with attestation-based policies.
  • Google Artifact Registry
    • Artifact Registry is the single registry service for all artifact types — container images, Maven, npm, Python, Go, Apt, Yum, and more.
    • Container Registry was shut down on March 18, 2025. All container image storage must use Artifact Registry.
    • Artifact Registry supports both regional and multi-regional repositories.
    • Artifact Registry supports gcr.io domain routing for backward compatibility with Container Registry URLs.
    • Artifact Registry integrates with Artifact Analysis for vulnerability scanning and SBOM generation.
  • Google Cloud Source Repositories (Legacy)

    ⚠️ End of Sale: Cloud Source Repositories is not available to new customers as of June 17, 2024. Existing customers can continue to use it, but new projects should use Secure Source Manager or third-party repositories (GitHub, GitLab, Bitbucket).

    • Cloud Source Repositories are fully-featured, private Git repositories hosted on Google Cloud.
    • Secure Source Manager is the recommended replacement — a regionally deployed, single-tenant, managed source code repository on Google Cloud.
    • Cloud Build 2nd gen repository connections support direct integration with GitHub, GitLab, and Bitbucket without requiring Cloud Source Repositories.
    • Hint: If the code needs to be version controlled and needs collaboration with multiple members, choose Git-related options (GitHub/GitLab integration or Secure Source Manager).
  • Google Cloud Code
    • Cloud Code helps write, debug, and deploy the cloud-based applications for IntelliJ, VS Code, or in the browser.
  • Google Cloud Client Libraries
    • Google Cloud Client Libraries provide client libraries and SDKs in various languages for calling Google Cloud APIs.
    • If the language is not supported, Cloud REST APIs can be used.
  • Deployment Techniques
    • Recreate deployment – fully scale down the existing application version before you scale up the new application version.
    • Rolling update – update a subset of running application instances instead of simultaneously updating every application instance.
    • Blue/Green deployment – (also known as a red/black deployment), you perform two identical deployments of your application.
    • Canary deployment – progressively roll out a change, increasing traffic percentages to the new version.
    • GKE supports Rolling and Recreate deployments natively.
      • Rolling deployments support maxSurge (new pods created) and maxUnavailable (existing pods deleted).
    • Cloud Deploy supports canary and blue/green for GKE and Cloud Run targets.
    • Managed Instance Groups support Rolling deployments using maxSurge and maxUnavailable configurations.
  • Testing Strategies
    • Canary testing – partially roll out a change and then evaluate its performance against a baseline deployment.
    • A/B testing – test a hypothesis by using variant implementations. A/B testing is used to make business decisions (not only predictions) based on the results derived from data.
    • Cloud Deploy supports deploy verification to automatically validate releases after deployment.
  • Spinnaker
    • Spinnaker is an open-source, multi-cloud continuous delivery platform for releasing software changes.
    • Spinnaker supports Blue/Green rollouts by dynamically enabling and disabling traffic to a particular Kubernetes resource.
    • Spinnaker recommends comparing canary against an equivalent baseline, deployed at the same time instead of production deployment.
    • Note: For new GCP-native deployments, Google Cloud Deploy is the recommended managed alternative to self-hosted Spinnaker.

Cloud Operations Suite (Observability)

  • Google Cloud Observability (formerly Operations Suite) provides monitoring, alerting, error reporting, metrics, tracing, profiling, and logging.
  • Google Cloud Monitoring
    • Cloud Monitoring helps gain visibility into the performance, availability, and health of your applications and infrastructure.
    • Ops Agent is the recommended unified agent (replaces legacy Monitoring and Logging agents). It uses OpenTelemetry and Fluent Bit to collect metrics and logs from Compute Engine VMs.
    • Legacy Monitoring Agent and Logging Agent are still functional but should be migrated to Ops Agent for new deployments.
    • Cloud Monitoring supports SLO monitoring — define SLOs directly in Cloud Monitoring with burn-rate alerts based on error budget consumption.
    • Cloud Monitoring supports log exports where the logs can be sunk to Cloud Storage, Pub/Sub, BigQuery, or an external destination like Splunk.
    • Cloud Monitoring API supports push or export custom metrics.
    • Uptime checks help check if the resource responds. It can check the availability of any public service on VM, App Engine, URL, GKE, or AWS Load Balancer.
    • Process health checks can be used to check if any process is healthy.
  • Managed Service for Prometheus
    • Managed Service for Prometheus lets you globally monitor and alert on workloads using Prometheus and OpenTelemetry, without manually managing Prometheus at scale.
    • Supports both managed collection (Google manages the collector) and self-deployed collection (you run your own Prometheus or OpenTelemetry Collector).
    • Integrates natively with GKE for Kubernetes workload monitoring.
    • Supports PromQL for querying and alerting, compatible with existing Prometheus dashboards and rules.
    • Hint: For Prometheus-based monitoring on GKE at scale, use Managed Service for Prometheus instead of self-managed Prometheus.
  • OpenTelemetry Integration
    • Google Cloud supports OpenTelemetry Protocol (OTLP) for sending metrics, traces, and logs directly to Cloud Monitoring, Cloud Trace, and Cloud Logging.
    • OpenTelemetry Collector can be deployed as a sidecar or DaemonSet on GKE to collect and export telemetry data.
    • GKE supports Managed OpenTelemetry with an Instrumentation custom resource that automatically injects configuration into workloads.
  • Google Cloud Logging
    • Cloud Logging provides real-time log management and analysis.
    • Cloud Logging allows ingestion of custom log data from any source.
    • Logs can be exported by configuring log sinks to BigQuery, Cloud Storage, or Pub/Sub.
    • Log Analytics allows SQL-based querying of logs using BigQuery-integrated log buckets.
    • The Ops Agent collects application logs from VMs (replaces legacy Logging Agent which used fluentd).
    • VPC Flow Logs helps record network flows sent from and received by VM instances.
    • Cloud Logging Log-based metrics can be used to create alerts on logs.
    • Hint: If the logs from VM do not appear on Cloud Logging, check if the Ops Agent is installed and running and it has proper permissions to write the logs to Cloud Logging.
  • Cloud Error Reporting
    • Counts, analyzes, and aggregates the crashes in the running cloud services.
  • Cloud Profiler
    • Cloud Profiler allows continuous profiling of CPU and memory usage in production applications with minimal overhead.
    • Helps identify performance bottlenecks in code running on GCP and on-premises resources.
  • Cloud Trace
    • Is a distributed tracing system that collects latency data from the applications and displays it in the Google Cloud Console.
    • Supports OpenTelemetry-based instrumentation for automatic trace collection.
  • Cloud Debugger

    ⚠️ SHUT DOWN: Cloud Debugger was deprecated on May 16, 2022 and the service was shut down on May 31, 2023. It is no longer available and is not tested on the exam.

    • Cloud Debugger previously allowed inspecting the state of a running application in real-time.
    • For runtime debugging needs, use Cloud Logging with structured logs, Cloud Trace for latency analysis, or snapshot-based debugging tools.

Compute Services

  • Compute services like Google Compute Engine and Google Kubernetes Engine are tested from the DevOps, scaling, and security aspects.
  • Google Compute Engine
    • Google Compute Engine is the IaaS option for computing and provides fine-grained control.
    • Spot VMs (formerly Preemptible VMs) and their use cases. HINT – use for short-term, fault-tolerant workloads.
    • Committed Usage Discounts (CUDs) help provide cost benefits for long-term stable and predictable usage.
    • Managed Instance Groups can help scale VMs as per the demand. It also helps provide auto-healing and high availability with health checks, in case an application fails.
  • Google Kubernetes Engine
    • GKE Autopilot is the recommended and default mode of operation — Google fully manages nodes, scaling, security, and node configuration.
      • Autopilot provides a Pod-level SLA and eliminates node management overhead.
      • Supports burstable workloads, GPUs, and StatefulSets.
    • GKE Standard provides full control over node configuration for specialized workloads.
    • GKE can be scaled using:
      • Cluster Autoscaler to scale the cluster node pools.
      • Vertical Pod Autoscaler (VPA) to adjust pod resource requests/limits based on actual usage.
      • Horizontal Pod Autoscaler (HPA) to scale the number of pods based on CPU, memory, or custom/external metrics.
      • Multidimensional Pod Autoscaling — combines HPA (scale out on CPU) and VPA (scale up on memory) simultaneously.
    • Workload Identity Federation for GKE (formerly GKE Workload Identity) is the recommended way for GKE workloads to authenticate to Google Cloud APIs without service account keys.
      • Eliminates the need for service account key files in containers.
      • Pods authenticate with short-lived federated tokens tied to their Kubernetes ServiceAccount.
    • Kubernetes Secrets can be used to store secrets (although they are just base64 encoded values). For production, use Secret Manager integration.
    • Kubernetes supports rolling and recreate deployment strategies.

Security

  • Cloud Key Management Service – KMS
    • Cloud KMS can be used to manage cryptographic keys and encrypt data in Cloud Storage and other integrated services.
  • Secret Manager
    • Secret Manager stores, manages, and provides access to secrets (API keys, passwords, certificates) as binary blobs or text strings.
    • Supports automatic rotation, versioning, and fine-grained IAM access control.
    • Integrates with GKE via Workload Identity Federation for secure secret access from pods.

Site Reliability Engineering – SRE

  • SRE is a DevOps implementation and focuses on increasing reliability and observability, collaboration, and reducing toil using automation.
  • SRE is the largest domain (~28%) of the Professional Cloud DevOps Engineer exam.
  • SLOs help specify a target level for the reliability of your service using SLIs which provide actual measurements.
  • SLI Types:
    • Availability
    • Freshness
    • Latency
    • Quality
  • SLOs – Choosing the measurement method:
    • Synthetic clients to measure user experience
    • Client-side instrumentation
    • Application and infrastructure metrics
    • Logs processing
  • SLOs define Error Budget and Error Budget Policy which need to be aligned with all stakeholders and help plan releases to focus on features vs reliability.
    • Burn-rate alerts can be configured in Cloud Monitoring to alert when error budget is being consumed too quickly.
    • When error budget is exhausted, the team should prioritize reliability over new features (feature freeze).
  • SRE focuses on Reducing Toil – Identifying repetitive, manual, automatable tasks and eliminating them through automation.
  • Production Readiness Review – PRR
    • Applications should be performance tested for volumes before being deployed to production.
    • SLOs should not be modified/adjusted to facilitate production deployments. Teams should work to make the applications SLO compliant before they are deployed to production.
  • SRE Practices include:
    • Incident Management and Response
      • Priority should be to mitigate the issue, and then investigate and find the root cause. Mitigating would include:
        • Rolling back the release that caused the issue.
        • Routing traffic to a working site to restore user experience.
      • Incident Live State Document helps track the events and decision making which can be useful for postmortem.
      • Involves the following roles:
        • Incident Commander/Manager
          • Sets up a communication channel for all to collaborate.
          • Assigns and delegates roles. IC would assume any role, if not delegated.
          • Responsible for Incident Live State Document.
        • Communications Lead
          • Provides periodic updates to all the stakeholders and customers.
        • Operations Lead
          • Responds to the incident and should be the only group modifying the system during an incident.
    • Postmortem
      • Should contain the root cause.
      • Should be Blameless — focus on systems and processes, not individuals.
      • Should be shared with all for collaboration and feedback.
      • Should be shared with all the stakeholders.
      • Should have proper action items to prevent recurrence with an owner and collaborators, if required.
    • Chaos Engineering
      • Proactively testing system resilience by intentionally introducing failures.
      • Helps identify weaknesses before they cause real incidents.
      • Should be conducted in controlled environments with proper safeguards.

All the Best !!

Google Cloud Certified – Cloud Digital Leader Learning Path

Google Cloud Certified - Cloud Digital Leader Certificate

Google Cloud – Cloud Digital Leader Certification Learning Path

🆕 2026 Update: A new Cloud Digital Leader beta exam is open for registration through July 5, 2026 (~75 questions, 2 hours, $59). The standard exam remains available through July 29, 2026. The exam is now delivered via Pearson VUE (replacing Kryterion). Google also launched a new Generative AI Leader certification in May 2025 for non-technical professionals.

Continuing on the Google Cloud Journey, glad to have passed the seventh certification with the Professional Cloud Digital Leader certification. Google Cloud was missing the initial entry-level certification similar to AWS Cloud Practitioner certification, which was introduced as the Cloud Digital Leader certification. Cloud Digital Leader focuses on general Cloud knowledge, Google Cloud knowledge with its products and services.

Google Cloud – Cloud Digital Leader Certification Summary

  • Has 50-60 questions to be answered in 90 minutes (standard exam).
  • Registration fee is $99 USD (plus tax where applicable).
  • Covers a wide range of General Cloud and Google Cloud services and products knowledge.
  • This exam does not require much Hands-on and theoretical knowledge is good enough to clear the exam.
  • Certification validity is 3 years, with a renewal exam option (20 questions, 45 minutes, $60).
  • Exam is delivered online-proctored or at onsite test centers via Pearson VUE.

Google Cloud – Cloud Digital Leader Exam Domains (Current)

The current Cloud Digital Leader exam covers six domains:

  1. Digital Transformation with Google Cloud (~17%)
  2. Exploring Data Transformation with Google Cloud (~16%)
  3. Innovating with Google Cloud Artificial Intelligence (~16%)
  4. Modernizing Infrastructure and Applications with Google Cloud (~17%)
  5. Trust and Security with Google Cloud (~17%)
  6. Scaling with Google Cloud Operations (~17%)

Google Cloud – Cloud Digital Leader Certification Resources

Google Cloud – Cloud Digital Leader Certification Topics

General cloud knowledge

  1. Define basic cloud technologies. Considerations include:
    1. Differentiate between traditional infrastructure, public cloud, and private cloud
      1. Traditional infrastructure includes on-premises data centers
      2. Public cloud include Google Cloud, AWS, and Azure
      3. Private Cloud includes services like AWS Outpost
    2. Define cloud infrastructure ownership
    3. Shared Responsibility Model
      1. Security of the Cloud is Google Cloud’s responsibility
      2. Security on the Cloud depends on the services used and is shared between Google Cloud and the Customer
    4. Essential characteristics of cloud computing
      1. On-demand computing
      2. Pay-as-you-use
      3. Scalability and Elasticity
      4. High Availability and Resiliency
      5. Security
  2. Differentiate cloud service models. Considerations include:
    1. Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)
      1. IaaS – everything is done by you – more flexibility more management
      2. PaaS – most of the things are done by Cloud with few things done by you – moderate flexibility and management
      3. SaaS – everything is taken care of by the Cloud, you would just use it – no flexibility and management
    2. Describe the trade-offs between level of management versus flexibility when comparing cloud services
    3. Define the trade-offs between costs versus responsibility
    4. Appropriate implementation and alignment with given budget and resources
  3. Identify common cloud procurement financial concepts. Considerations include:
    1. Operating expenses (OpEx), capital expenditures (CapEx), and total cost of operations (TCO)
      1. On-premises has more of Capex and less OpEx
      2. Cloud has no to least Capex and more of OpEx
    2. Recognize the relationship between OpEx and CapEx related to networking and compute infrastructure
    3. Summarize the key cost differentiators between cloud and on-premises environments

General Google Cloud knowledge

  1. Recognize how Google Cloud meets common compliance requirements. Considerations include:
    1. Locating current Google Cloud compliance requirements
    2. Familiarity with Compliance Reports Manager
  2. Recognize the main elements of Google Cloud resource hierarchy. Considerations include:
    1. Describe the relationship between organization, folders, projects, and resources i.e. Organization -> Folder -> Folder or Projects -> Resources
  3. Describe controlling and optimizing Google Cloud costs. Considerations include:
    1. Google Cloud billing models and applicability to different service classes
    2. Define a consumption-based use model
    3. Application of discounts (e.g., flat-rate, committed-use discounts [CUD], sustained-use discounts [SUD])
      1. Sustained-use discounts [SUD] are automatic discounts for running specific resources for a significant portion of the billing month
      2. Committed use discounts [CUD] help with committed use contracts in return for deeply discounted prices for VM usage
  4. Describe Google Cloud’s geographical segmentation strategy. Considerations include:
    1. Regions are collections of zones. Zones have high-bandwidth, low-latency network connections to other zones in the same region. Regions help design fault-tolerant and highly available solutions.
    2. Zones are deployment areas within a region and provide the lowest latency usually less than 10ms
    3. Regional resources are accessible by any resources within the same region
    4. Zonal resources are hosted in a zone are called per-zone resources.
    5. Multiregional resources or Global resources are accessible by any resource in any zone within the same project.
  5. Define Google Cloud support options. Considerations include:
    1. Distinguish between billing support, technical support, role-based support, and enterprise support
      1. Role-Based Support provides more predictable rates and a flexible configuration. Although they are legacy, the exam does cover these.
      2. Enterprise Support provides the fastest case response times and a dedicated Technical Account Management (TAM) contact who helps you execute a Google Cloud strategy.
    2. Recognize a variety of Service Level Agreement (SLA) applications

Google Cloud products and services

  1. Describe the benefits of Google Cloud virtual machine (VM)-based compute options. Considerations include:
    1. Compute Engine provides virtual machines (VM) hosted on Google’s infrastructure.
    2. Google Cloud VMware Engine helps easy lift and shift VMware-based applications to Google Cloud without changes to the apps, tools, or processes
    3. Bare Metal lets businesses run specialized workloads such as Oracle databases close to Google Cloud while lowering overall costs and reducing risks associated with migration
    4. Custom versus standard sizing
    5. Free, premium, and custom service options
    6. Attached storage/disk options
    7. Spot VMs (formerly Preemptible VMs) are instances that can be created and run at a much lower price than standard instances. Google Cloud can reclaim them at any time when resources are needed. Spot VMs are the recommended replacement for Preemptible VMs.
      ⚠️ Note: Preemptible VMs have been superseded by Spot VMs. Google recommends using Spot VMs for fault-tolerant, batch, and stateless workloads. Spot VMs have no maximum 24-hour runtime limit unlike legacy Preemptible VMs.
  2. Identify and evaluate container-based compute options. Considerations include:
    1. Define the function of a container registry
      1. Artifact Registry is the recommended service to manage container images, perform vulnerability analysis, and manage access control. It supports Docker images, language packages, and OS packages.
        ⚠️ Note: Container Registry was shut down on March 18, 2025. All users must use Artifact Registry which provides all Container Registry functionality plus additional features including multi-format support and regional repositories.
    2. Distinguish between VMs, containers, and Google Kubernetes Engine
  3. Identify and evaluate serverless compute options. Considerations include:
    1. Define the function and use of App Engine, Cloud Functions, and Cloud Run
    2. Define rationale for versioning with serverless compute options
    3. Cost and performance tradeoffs of scale to zero
      1. Scale to zero helps provides cost efficiency by scaling down to zero when there is no load but comes with an issue with cold starts
      2. Serverless technologies like Cloud Functions, Cloud Run, App Engine Standard provide these capabilities
  4. Identify and evaluate multiple data management offerings. Considerations include:
    1. Describe the differences and benefits of Google Cloud’s relational and non-relational database offerings
      1. Cloud SQL provides fully managed, relational SQL databases and offers MySQL, PostgreSQL, MSSQL databases as a service
      2. Cloud Spanner provides fully managed, relational SQL databases with joins and secondary indexes
      3. AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service designed for demanding enterprise workloads, offering up to 4x faster performance than standard PostgreSQL
      4. Cloud Bigtable provides a scalable, fully managed, non-relational NoSQL wide-column analytical big data database service suitable for low-latency single-point lookups and precalculated analytics
      5. Firestore is a fully managed, serverless NoSQL document database for mobile, web, and server development
      6. BigQuery provides fully managed, no-ops, OLAP, enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
    2. Describe Google Cloud’s database offerings and how they compare to commercial offerings
  5. Distinguish between ML/AI offerings. Considerations include:
    1. Describe the differences and benefits of Google Cloud’s AI and ML services
      1. Vertex AI is Google Cloud’s unified AI/ML platform for building, deploying, and scaling ML models and AI applications
      2. Gemini is Google’s multimodal large language model available through Vertex AI for generative AI use cases
    2. Identify when to train your own model, use a Google Cloud pre-trained model, or build on an existing model
      1. Vision AI provides out-of-the-box pre-trained models to extract data from images
      2. Vertex AI AutoML provides the ability to train custom models with minimal ML expertise
      3. BigQuery ML provides support for limited models and SQL interface
      4. Gemini and other foundation models allow fine-tuning for domain-specific tasks
    3. Understand generative AI concepts
      1. Large Language Models (LLMs), foundation models, and multimodal models
      2. Prompting, fine-tuning, and grounding
      3. Responsible AI principles
  6. Differentiate between data movement and data pipelines. Considerations include:
    1. Describe Google Cloud’s data pipeline offerings
      1. Cloud Pub/Sub provides reliable, many-to-many, asynchronous messaging between applications. By decoupling senders and receivers, Google Cloud Pub/Sub allows developers to communicate between independently written applications.
      2. Cloud Dataflow is a fully managed service for strongly consistent, parallel data-processing pipelines
      3. Cloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building & managing data pipelines
      4. BigQuery Service is a fully managed, highly scalable data analysis service that enables businesses to analyze Big Data.
      5. Looker provides an enterprise platform for business intelligence, data applications, and embedded analytics.
      6. Data Studio (formerly known as Looker Studio) is a free, self-service data visualization and reporting tool for creating interactive dashboards.
    2. Define data ingestion options
  7. Apply use cases to a high-level Google Cloud architecture. Considerations include:
    1. Define Google Cloud’s offerings around the Software Development Life Cycle (SDLC)
    2. Describe Google Cloud’s platform visibility and alerting offerings covers Cloud Monitoring and Cloud Logging
  8. Describe solutions for migrating workloads to Google Cloud. Considerations include:
    1. Identify data migration options
      1. Storage Transfer Service for transferring data between cloud storage providers
      2. Transfer Appliance for large-scale offline data migration
      3. Database Migration Service for migrating databases to Cloud SQL and AlloyDB
    2. Differentiate when to use Migrate to Virtual Machines versus Migrate to Containers
      1. Migrate to Virtual Machines (formerly Migrate for Compute Engine) provides fast, flexible, and safe VM migration to Google Cloud
        ⚠️ Note: Migrate for Compute Engine was deprecated on April 30, 2024 and replaced by Migrate to Virtual Machines.
      2. Migrate to Containers (formerly Migrate for Anthos and GKE) makes it fast and easy to modernize traditional applications away from virtual machines and into native containers. This significantly reduces the cost and labor that would be required for a manual application modernization project.
    3. Distinguish between lift and shift versus application modernization
      1. Lift and shift involves migration with zero to minimal changes and is usually performed with time constraints
      2. Application modernization requires a redesign of infra and applications and takes time. It can include moving legacy monolithic architecture to microservices architecture, building CI/CD pipelines for automated builds and deployments, frequent releases with zero downtime, etc.
  9. Describe networking to on-premises locations. Considerations include:
    1. Define Software-Defined WAN (SD-WAN)
    2. Determine the best connectivity option based on networking and security requirements – covers Cloud VPN, Interconnect, and Peering.
    3. Private Google Access provides access from VM instances to Google services like Cloud Storage or third-party services without external IP addresses
  10. Define identity and access features. Considerations include:
    1. Cloud Identity & Access Management (Cloud IAM) provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    2. Google Cloud Directory Sync enables administrators to synchronize users, groups, and other data from an Active Directory/LDAP service to their Google Cloud domain directory.

Related Google Cloud Certifications

After completing the Cloud Digital Leader certification, consider the following paths:

GCP Professional Cloud Developer Cert Path

Google Cloud Profressional Cloud Developer Certificate

Google Cloud – Professional Cloud Developer Certification learning path

📌 Last Updated: June 2026 — This post has been updated to reflect current exam format, service renamings (Cloud Run functions, Spot VMs, Sensitive Data Protection), deprecated services (Cloud Debugger shut down May 2023), and the transition to Pearson VUE for exam delivery.

Continuing on the Google Cloud Journey, glad to have passed the sixth certification with the Professional Cloud Developer certification.

Google Cloud – Professional Cloud Developer Certification Summary

  • The exam has 50-60 multiple choice and multiple select questions to be answered in 2 hours.
  • Registration fee is $200 (plus tax where applicable).
  • Covers a wide range of Google Cloud services mainly focusing on application development, containerization, CI/CD pipelines, and cloud service integration.
  • As of March 2026, exams are delivered through Pearson VUE (previously Kryterion). You can take the exam online-proctored or at a testing center.
  • Exams are being updated to reflect product updates announced at Google Cloud Next ’26, including Gemini and AI-related services. Refer to the exam guide for current topics.
  • Make sure you cover the case studies beforehand. I got ~5-6 questions and it can really be a savior for you in the exams.
  • As mentioned for all the exams, Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands.
  • Google recommends 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud.

Google Cloud – Professional Cloud Developer Certification Resources

Google Cloud – Professional Cloud Developer Certification Topics

Case Studies

Compute Services

  • Compute services like Google Compute Engine, Google Kubernetes Engine, Cloud Run, and App Engine are covered with focus on selecting the right platform and security aspects.
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control.
    • Compute Engine is recommended to be used with Service Account with the least privilege to provide access to Google services and the information can be queried from instance metadata.
    • Compute Engine Persistent disks can be attached to multiple VMs in read-only mode.
    • Compute Engine launch issues reasons:
      • Boot disk is full.
      • Boot disk is corrupted.
      • Boot Disk has an invalid master boot record (MBR).
      • Quota Errors.
      • Can be debugged using Serial console.
    • Spot VMs (previously known as Preemptible VMs) and their use cases. Spot VMs are the recommended replacement — they have no 24-hour maximum lifetime (unlike legacy Preemptible VMs) and run indefinitely as long as capacity is available. HINT — shutdown script to perform cleanup actions.
  • Cloud Run
    • Cloud Run is a fully managed serverless platform for deploying and running containerized applications without managing infrastructure.
    • Cloud Run services — run containers that are invocable via HTTP requests or events, with automatic scaling (including scale-to-zero).
    • Cloud Run jobs — run containers to completion for batch workloads, scripts, and data processing tasks (GA since 2023).
    • Cloud Run functions (formerly Cloud Functions, renamed August 2024) — event-driven functions with the same simple programming model, now deployed on Cloud Run infrastructure with fine-grained control over concurrency, CPU/memory, and networking.
    • Cloud Run supports GPU access for AI/ML inference workloads.
    • Cloud Run integrates with Eventarc for event delivery from 130+ Google Cloud sources.
    • Supports minimum instances to avoid cold starts, and maximum instances to control costs.
  • Google Kubernetes Engine
    • Google Kubernetes Engine enables running containers on Google Cloud.
    • GKE Autopilot is the recommended fully managed mode — Google manages nodes, nodepools, and scaling. In 2024, 30% of active GKE clusters used Autopilot mode. As of 2026, Autopilot is available to all qualifying clusters.
    • Understand GKE containers, Pods, Deployments, Service, DaemonSet, StatefulSets:
      • Pods are the smallest, most basic deployable objects in Kubernetes. A Pod represents a single instance of a running process in the cluster and can contain single or multiple containers.
      • Deployments represent a set of multiple, identical Pods with no unique identities. A Deployment runs multiple replicas of the application and automatically replaces any instances that fail or become unresponsive.
      • StatefulSets represent a set of Pods with unique, persistent identities and stable hostnames that GKE maintains regardless of where they are scheduled.
      • DaemonSets manage groups of replicated Pods. DaemonSets attempt to adhere to a one-Pod-per-node model, either across the entire cluster or a subset of nodes.
      • Service is to group a set of Pod endpoints into a single resource. GKE Services can be exposed as ClusterIP, NodePort, and Load Balancer.
      • Ingress object defines rules for routing HTTP(S) traffic to applications running in a cluster. An Ingress object is associated with one or more Service objects.
      • Gateway API is the next-generation routing API for Kubernetes (successor to Ingress). It provides expressive, extensible, and role-oriented traffic routing with built-in capabilities for header-based matching, traffic weighting, and traffic splitting.
    • GKE supports Horizontal Pod Autoscaler (HPA) to autoscale deployments based on CPU and Memory.
    • GKE supports health checks using liveness and readiness probes:
      • Readiness probes are designed to let Kubernetes know when the app is ready to serve traffic.
      • Liveness probes let Kubernetes know if the app is alive or dead.
    • Understand Workload Identity Federation for GKE (formerly Workload Identity) for security — the recommended way to provide Pods running on the cluster access to Google resources without service account keys.
    • GKE integrates with Istio/Anthos Service Mesh for mTLS and service-to-service security.
  • Google App Engine
  • Cloud Tasks
    • is a fully managed service that allows you to manage the execution, dispatch, and delivery of a large number of distributed tasks.

Security Services

  • Cloud Identity-Aware Proxy
    • Identity-Aware Proxy IAP allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
    • IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, Microsoft, SAML, etc.
    • Signed headers using JWT provide secondary security in case someone bypasses IAP.
  • Sensitive Data Protection (formerly Cloud DLP)
    • Sensitive Data Protection (previously Cloud Data Loss Prevention / Cloud DLP) is a fully managed service designed to help discover, classify, and protect the most sensitive data.
    • Provides key features:
      • Classification/Inspection — inspect the data and know what data you have, how sensitive it is, and the likelihood.
      • De-identification — the process of removing, masking, redaction, replacing information from data.
      • Discovery — continuously monitors data resources in your organization, profiling data sensitivity and risk levels across BigQuery, Cloud Storage, and Datastore.
  • Web Security Scanner
    • Web Security Scanner identifies security vulnerabilities in the App Engine, GKE, and Compute Engine web applications.
    • Scans provide information about application vulnerability findings, like OWASP, XSS, Flash injection, outdated libraries, cross-site scripting, clear-text passwords, or use of mixed content.
  • Secret Manager
    • Secret Manager stores API keys, passwords, certificates, and other sensitive data securely.
    • Provides versioning, automatic rotation, and fine-grained IAM access control.
    • Integrates natively with Cloud Run, GKE, and Cloud Build for secure secret injection.

Networking Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets, and host applications within them.
    • Private Access options for services allow instances with internal IP addresses to communicate with Google APIs and services.
    • Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
  • Cloud Load Balancing
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.

Identity Services

  • Resource Manager
    • Understand Resource Manager the hierarchy Organization → Folders → Projects → Resources.
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
  • Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
    • Understand IAM Best Practices:
      • Use groups for users requiring the same responsibilities.
      • Use service accounts for server-to-server interactions.
      • Use Workload Identity Federation instead of service account keys for external workloads and GKE pods.
      • Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
    • Domain-wide delegation of authority to grant third-party and internal applications access to the users’ data (e.g., Google Drive).

Storage Services

  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data and provides an option for long term data retention.
    • Understand Signed URL to give temporary access and the users do not need to be GCP users. HINT: Signed URL would work for direct upload to GCS without routing the traffic through App Engine or CE.
    • Understand Google Cloud Storage Classes and Object Lifecycle Management to transition objects.
    • Retention Policies help define the retention period for the bucket, before which the objects in the bucket cannot be deleted.
    • Bucket Lock feature allows configuring a data retention policy for a bucket that governs how long objects in the bucket must be retained. The feature also allows locking the data retention policy, permanently preventing the policy from being reduced or removed.
    • Know Cloud Storage Best PracticesGCS auto-scaling performs well if requests ramp up gradually rather than having a sudden spike. Also, retry using exponential back-off strategy.
    • Cloud Storage can be used to host static websites.
    • Cloud CDN can be used with Cloud Storage to improve performance and enable caching.
  • Firestore
    • Firestore (successor to Cloud Datastore) provides a managed NoSQL document database built for automatic scaling, high performance, and ease of application development.
    • Firestore operates in Native mode (real-time sync, offline support) or Datastore mode (backward compatible with Cloud Datastore).
  • Artifact Registry
    • Artifact Registry is the recommended container and package registry (Container Registry was shut down on March 18, 2025).
    • Supports Docker images, language packages (Maven, npm, Python, etc.), and OS packages.
    • Integrates with Cloud Build for CI/CD pipelines and provides vulnerability scanning.

Developer Tools

  • Google Cloud Build
    • Cloud Build is a serverless CI/CD platform that integrates with GitHub, GitLab, and Bitbucket (Cloud Source Repositories is no longer available to new customers as of June 2024; Secure Source Manager is the replacement).
    • Cloud Build can import source code, execute build to specifications, and produce artifacts such as Docker containers or Java archives.
    • Cloud Build build config file specifies the instructions to perform, with steps defined for each task like test, build, and deploy.
    • Cloud Build supports custom images as well for the steps.
    • Cloud Build uses a directory named /workspace as a working directory and the assets produced by one step can be passed to the next one via the persistence of the /workspace directory.
    • Cloud Build 2nd gen repositories provide improved integration with GitHub and GitLab.
  • Google Cloud Code
    • Cloud Code helps write, debug, and deploy cloud-based applications for IntelliJ, VS Code, or in the browser.
  • Google Cloud Client Libraries
    • Google Cloud Client Libraries provide client libraries and SDKs in various languages for calling Google Cloud APIs.
    • If the language is not supported, Cloud REST APIs can be used.
  • Deployment Techniques
    • Recreate deployment — fully scale down the existing application version before you scale up the new application version.
    • Rolling update — update a subset of running application instances instead of simultaneously updating every application instance.
    • Blue/Green deployment — (also known as a red/black deployment), perform two identical deployments of your application.
    • GKE supports Rolling and Recreate deployments.
      • Rolling deployments support maxSurge (new pods would be created) and maxUnavailable (existing pods would be deleted).
    • Managed Instance Groups support Rolling deployments using maxSurge and maxUnavailable configurations.
    • Cloud Run supports traffic splitting for gradual rollouts (route percentages between revisions).
  • Testing Strategies
    • Canary testing — partially roll out a change and then evaluate its performance against a baseline deployment.
    • A/B testing — test a hypothesis by using variant implementations. A/B testing is used to make business decisions (not only predictions) based on the results derived from data.

Data Services

  • Bigtable
  • Cloud Pub/Sub
    • Understand Cloud Pub/Sub as an asynchronous messaging service.
    • Know patterns for One to Many, Many to One, and Many to Many.
    • roles/publisher and roles/pubsub.subscriber provides applications with the ability to publish and consume.
  • Cloud SQL
    • Cloud SQL is a fully managed service that provides MySQL, PostgreSQL, and Microsoft SQL Server.
    • HA configuration provides data redundancy and failover capability with minimal downtime when a zone or instance becomes unavailable.
    • Read replicas help scale horizontally the use of data in a database without degrading performance.
  • Cloud Spanner
    • is a fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
    • Can read and write up-to-date strongly consistent data globally.
    • Multi-region instances give higher availability guarantees (99.999% availability) and global scale.
    • Cloud Spanner’s table interleaving is a good choice for many parent-child relationships where the child table’s primary key includes the parent table’s primary key columns.

Monitoring & Observability

  • Google Cloud Monitoring (part of Google Cloud Observability, formerly Stackdriver)
    • Provides monitoring, alerting, error reporting, metrics, and diagnostics.
    • Cloud Monitoring helps gain visibility into the performance, availability, and health of your applications and infrastructure.
  • Google Cloud Logging
    • Cloud Logging provides real-time log management and analysis.
    • Cloud Logging allows ingestion of custom log data from any source.
    • Logs can be exported by configuring log sinks to BigQuery, Cloud Storage, or Pub/Sub.
    • Cloud Logging Agent (Ops Agent) can be installed for logging and capturing application logs.
  • Cloud Error Reporting
    • Counts, analyzes, and aggregates the crashes in the running cloud services.
  • Cloud Trace
    • is a distributed tracing system that collects latency data from the applications and displays it in the Google Cloud Console.
    • Supports OpenTelemetry Protocol (OTLP) for sending trace data — the recommended approach for new and existing users.
  • Cloud Debugger
    • ⚠️ DEPRECATED: Cloud Debugger was deprecated on May 16, 2022 and shut down on May 31, 2023. It is no longer available.

      Alternative: Use Snapshot Debugger (open-source) or standard logging/tracing with Cloud Logging and Cloud Trace for application debugging.

All the Best !!

GCP Professional Cloud Security Engineer Cert Path

GCP - Professional Cloud Security Engineer Certificate

Google Cloud – Professional Cloud Security Engineer Certification learning path

Continuing on the Google Cloud Journey, have just cleared the Professional Cloud Security certification. Google Cloud – Professional Cloud Security Engineer certification exam focuses on almost all of the Google Cloud security services with storage, compute, networking services with their security aspects only.

📋 Exam Update (2025-2026)

The Professional Cloud Security Engineer exam has been updated to include securing AI workloads (Vertex AI), software supply chain security, and VPC Service Controls as key topics. The exam now has 50-60 questions (previously 50) and costs $200. Approximately ⅓–¼ of the exam now covers Vertex AI security, VPC Service Controls, and private/public endpoint configurations.

Google Cloud – Professional Cloud Security Engineer Certification Summary

  • Has 50-60 questions to be answered in 2 hours.
  • Registration fee: $200 (plus tax where applicable)
  • Available in English and Japanese
  • Can be taken online-proctored or at a testing center
  • Covers a wide range of Google Cloud services mainly focusing on security and network services
  • Recommended experience: 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud
  • As mentioned for all the exams, Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands
  • Certification is valid for 3 years and can be renewed within the renewal eligibility period
  • The exam now covers five key domains:
    • Configuring Access (~25%)
    • Securing Communications and Establishing Boundary Protection (~22%)
    • Ensuring Data Protection (~23%)
    • Managing Operations (~19%)
    • Supporting Compliance Requirements (~11%)

Google Cloud – Professional Cloud Security Engineer Certification Resources

Google Cloud – Professional Cloud Security Engineer Certification Topics

Security Services

  • Google Cloud – Security Services Cheat Sheet
  • Cloud Key Management Service – KMS
    • Cloud KMS provides a centralized, scalable, fast cloud key management service to manage encryption keys
    • KMS Key is a named object containing one or more key versions, along with metadata for the key.
    • KMS KeyRing provides grouping keys with related permissions that allow you to grant, revoke, or modify permissions to those keys at the key ring level without needing to act on each key individually.
    • Supports Autokey (GA 2024) for automatic key provisioning and assignment to protect data at rest
    • Supports Cloud External Key Manager (EKM) for using keys managed in supported external key management partners
  • Cloud Armor
    • Cloud Armor protects the applications from multiple types of threats, including DDoS attacks and application attacks like XSS and SQLi
    • works with the external HTTP(S) load balancer to automatically block network protocol and volumetric DDoS attacks such as protocol floods (SYN, TCP, HTTP, and ICMP) and amplification attacks (NTP, UDP, DNS)
    • Cloud Armor Enterprise (formerly Managed Protection Plus) is the premium tier with advanced DDoS protection, Threat Intelligence, and Adaptive Protection features
    • Adaptive Protection uses ML to detect and mitigate L7 DDoS attacks automatically, trained locally on application traffic patterns
    • Hierarchical Security Policies (GA 2025) enable centralized control and delegation of security policy management across organizations
    • Enhanced WAF inspection now supports up to 64 KB request body inspection (up from 8 KB) for preconfigured WAF rules
    • with GKE needs to be configured with GKE Ingress
    • can be used to blacklist IPs
    • supports preview mode to understand patterns without blocking the users
  • Cloud Identity-Aware Proxy
    • Identity-Aware Proxy IAP allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
    • IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, Microsoft, SAML, etc.
    • Signed headers using JWT provide secondary security in case someone bypasses IAP.
    • IAP is a core component of Google’s BeyondCorp zero-trust model, now delivered through Chrome Enterprise Premium
  • Sensitive Data Protection (formerly Cloud Data Loss Prevention – DLP)
    • Cloud Data Loss Prevention (DLP) is now part of Sensitive Data Protection, a family of services designed to help discover, classify, and protect sensitive data.
    • The API name remains Cloud Data Loss Prevention API (DLP API)
    • provides two key features
      • Classification is the process to inspect the data and know what data we have, how sensitive it is, and the likelihood.
      • De-identification is the process of removing, masking, redaction, replacing information from data.
    • supports text, image, and storage classification with scans on data stored in Cloud Storage, Datastore, and BigQuery
    • supports scanning of binary, text, image, Microsoft Word, PDF, and Apache Avro files
    • Discovery service (data profiler) continuously monitors data resources and classifies data into infoTypes, assessing sensitivity and risk levels
    • Deeply integrated with Security Command Center Enterprise risk engine for continuous data monitoring
    • Supports automatic discovery of unencrypted secrets and data profiling across organizations, folders, or projects
  • Web Security Scanner
    • Web Security Scanner identifies security vulnerabilities in the App Engine, GKE, and Compute Engine web applications.
    • scans provide information about application vulnerability findings, like OWASP, XSS, Flash injection, outdated libraries, cross-site scripting, clear-text passwords, or use of mixed content
  • Security Command Center – SCC
    • is a Security and risk management platform that helps generate curated insights and provides a unique view of incoming threats and attacks to the assets
    • displays possible security risks, called findings, that are associated with each asset.
    • Available in three tiers:
      • Standard tier – Free, now automatically enabled for eligible customers; provides basic security and compliance management
      • Premium tier – Pay-as-you-go; includes Security Health Analytics, Event Threat Detection, Container Threat Detection, and VM Threat Detection
      • Enterprise tier – Subscription-based; extends protection across multiple clouds with Google SecOps integration and automated responses (Note: Enterprise tier shuts down May 21, 2027; organizations will move to Premium tier)
    • Premium and Enterprise tiers include Risk Engine for attack path simulation and toxic combination detection
  • Forseti Security
    ⚠️ DEPRECATED/ARCHIVED – Forseti Security repository was archived by Google on January 11, 2025 due to low community engagement and limited development activity. It is now read-only and no longer supported.

    Alternative: Use Security Command Center (SCC) for centralized security posture management, asset inventory, and compliance monitoring.
    • Was an open-source security toolkit for GCP resource inventory and policy enforcement
    • Kept track of the environment with inventory snapshots of GCP resources on a recurring cadence
  • Chrome Enterprise Premium (formerly BeyondCorp Enterprise)
    • BeyondCorp Enterprise was renamed to Chrome Enterprise Premium in April 2024
    • Provides zero-trust access security integrated directly within the Chrome browser
    • Enables granular access policies for personally-owned and managed devices
    • Combines threat protection, data protection, and zero-trust access in the browser
    • Works with Identity-Aware Proxy (IAP) and Access Context Manager for context-aware access
  • Access Context Manager
    • Access Context Manager allows organization administrators to define fine-grained, attribute-based access control for projects and resources
    • Access Context Manager helps reduce the size of the privileged network and move to a model where endpoints do not carry ambient authority based on the network.
    • Access Context Manager helps prevent data exfiltration with proper access levels and security perimeter rules
    • Works with VPC Service Controls to create security perimeters around Google Cloud resources
  • VPC Service Controls
    • Creates security perimeters that protect resources and data of explicitly specified services
    • Prevents data exfiltration by restricting the movement of data across perimeter boundaries
    • Critical for Vertex AI security – controls access to AI/ML endpoints and training data
    • Supports ingress and egress rules for fine-grained access policies
    • Major exam topic – understand perimeter configuration, access levels, and service restrictions

AI Security (New Exam Topic)

  • Securing Vertex AI Workloads
    • Approximately ⅓–¼ of the current exam covers Vertex AI security topics
    • Understand network security for AI endpoints (private vs public endpoint configurations)
    • Use VPC Service Controls to protect training data and model artifacts
    • Configure IAM roles for Vertex AI (roles/aiplatform.*) with least privilege
    • Understand Customer-Managed Encryption Keys (CMEK) for AI data encryption
    • Secure model serving endpoints with authentication and authorization
  • Confidential Computing
    • Provides hardware-based memory encryption for data-in-use protection
    • Confidential VMs encrypt data while processing, offering protection from cloud operator access
    • Supports secure collaboration and federated learning without revealing individual data
    • Available for Compute Engine, GKE, and AI/ML workloads

Software Supply Chain Security (New Exam Topic)

  • Binary Authorization
    • Deploy-time security control that ensures only trusted container images are deployed on GKE or Cloud Run
    • Enforces signature verification policies before deployment
  • Artifact Registry
    • Universal package manager for container images and language packages
    • Supports vulnerability scanning with Artifact Analysis
    • Replaces Container Registry (deprecated)
  • Software Delivery Shield
    • End-to-end software supply chain security solution
    • Covers source code, build, deploy, and runtime phases
    • Integrates Cloud Build, Artifact Registry, Binary Authorization, and GKE security features

Compliance

  • FIPS 140-2 Validated
    • FIPS 140-2 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
    • Google Cloud uses a FIPS 140-2 validated encryption module called BoringCrypto in the production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption.
    • BoringCrypto module that achieved FIPS 140-2 validation is part of the BoringSSL library.
    • BoringSSL library as a whole is not FIPS 140-2 validated
  • PCI/DSS Compliance
    • PCI/DSS compliance is a shared responsibility model
    • Egress rules cannot be controlled for App Engine, Cloud Functions, and Cloud Storage. Google recommends using Compute Engine and GKE to ensure that all egress traffic is authorized.
    • Antivirus software and File Integrity monitoring must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats including containers
    • For payment processing, the security can be improved and compliance proved by isolating each of these environments into its own VPC network and reduce the scope of systems subject to PCI audit standards
  • Assured Workloads
    • Enables compliance and sovereignty controls for regulated workloads on Google Cloud
    • Supports FedRAMP, IL4, CJIS, ITAR, and regional compliance requirements
    • Automatically applies organization policy constraints and resource location restrictions

Networking Services

  • Refer Google Cloud Security Services Cheat Sheet
  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets, and host applications within them
    • Firewall rules control the Traffic to and from instances. HINT: rules with lower integers indicate higher priorities. Firewall rules can be applied to specific tags.
    • Know implied firewall rules which deny all ingress and allow all egress
    • Understand the difference between using Service Account vs Network Tags for filtering in Firewall rules. HINT: Use SA over tags as it provides access control while tags can be easily inferred.
    • VPC Peering allows internal or private IP address connectivity across two VPC networks regardless of whether they belong to the same project or the same organization. HINT: VPC Peering uses private IPs and does not support transitive peering
    • Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other securely and efficiently using internal IPs from that network
    • Private Access options for services allow instances with internal IP addresses can communicate with Google APIs and services.
    • Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
    • Private Service Connect provides private connectivity between VPCs and services, including Google APIs and third-party services, without exposing traffic to the public internet
    • VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.
    • Firewall Rules Logging enables auditing, verifying, and analyzing the effects of the firewall rules
  • Hybrid Connectivity
    • Understand Hybrid Connectivity options in terms of security.
    • Cloud VPN provides secure connectivity from the on-premises data center to the GCP network through the public internet. Cloud VPN does not provide internal or private IP connectivity
    • Cloud Interconnect provides direct connectivity from the on-premises data center to the GCP network
  • Cloud NAT
    • Cloud NAT allows VM instances without external IP addresses and private GKE clusters to send outbound packets to the internet and receive any corresponding established inbound response packets.
    • Requests would not be routed through Cloud NAT if they have an external IP address
  • Cloud DNS
    • Understand Cloud DNS and its features
    • supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks
  • Cloud Load Balancing
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
    • Understand Google Load Balancing options and their use cases esp. which is global, internal and does they support SSL offloading
      • Network Load Balancer – regional, external, pass through and supports TCP/UDP
      • Internal TCP/UDP Load Balancer – regional, internal, pass through and supports TCP/UDP
      • HTTP/S Load Balancer – regional/global, external, and supports HTTP/S
      • Internal HTTP/S Load Balancer – regional/global, internal, and supports HTTP/S
      • SSL Proxy Load Balancer – regional/global, external, proxy, supports SSL with SSL offload capability
      • TCP Proxy Load Balancer – regional/global, external, proxy, supports TCP without SSL offload capability

Identity Services

  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
  • Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
    • Service Account, if accidentally deleted, can be recovered if the time gap is less than 30 days and a service account by the same name wasn’t created
    • Understand IAM Best Practices
      • Use groups for users requiring the same responsibilities
      • Use service accounts for server-to-server interactions.
      • Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
    • Domain-wide delegation of authority to grant third-party and internal applications access to the users’ data for e.g. Google Drive etc.
    • Workforce Identity Federation allows external identities (from Azure AD, Okta, etc.) to access Google Cloud resources without needing Google Cloud credentials
    • Workload Identity Federation allows external workloads to access Google Cloud resources without using service account keys
    • IAM Conditions enable attribute-based access control (ABAC) for fine-grained, conditional permissions
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity providers like Active Directory.
    • Cloud Identity supports federating with Active Directory using GCDS (Google Cloud Directory Sync) to implement the synchronization

Compute Services

  • Compute services like Google Compute Engine and Google Kubernetes Engine are lightly covered more from the security aspects
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control
    • Managing access using OS Login or project and instance metadata
    • Compute Engine is recommended to be used with Service Account with the least privilege to provide access to Google services and the information can be queried from instance metadata.
    • Shielded VMs provide verifiable integrity of instances through Secure Boot, vTPM, and integrity monitoring
    • Confidential VMs provide hardware-based memory encryption for data-in-use protection
  • Google Kubernetes Engine
    • Google Kubernetes Engine, enables running containers on Google Cloud
    • Understand Best Practices for Building Containers
      • Package a single app per container
      • Properly handle PID 1, signal handling, and zombie processes
      • Optimize for the Docker build cache
      • Remove unnecessary tools
      • Build the smallest image possible
      • Scan images for vulnerabilities using Artifact Analysis
      • Restrict using Public Image
      • Managed Base Images
      • Use Binary Authorization to enforce deployment policies
    • GKE Security Posture dashboard provides visibility into security configurations and vulnerabilities
    • Workload Identity is the recommended way to access Google Cloud services from GKE pods (replaces node SA)

Storage Services

  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data and provides an option for long term data retention
    • Understand Cloud Storage Security features
      • Understand various Data Encryption techniques including Envelope Encryption, CMEK, and CSEK. HINT: CSEK works with Cloud Storage and Persistent Disks only. CSEK manages KEK and not DEK.
      • Cloud Storage default encryption uses AES256
      • Understand Signed URL to give temporary access and the users do not need to be GCP users
      • Understand access control and permissions – IAM (Uniform) vs ACLs (fine-grained control)
      • Bucket Lock feature allows configuring a data retention policy for a bucket that governs how long objects in the bucket must be retained. The feature also allows locking the data retention policy, permanently preventing the policy from being reduced or removed
      • Object Versioning and Soft Delete for protection against accidental deletion

Monitoring

  • Google Cloud Monitoring (formerly Stackdriver)
    • provides monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
  • Google Cloud Logging (formerly Stackdriver Logging)
    • Audit logs are provided through Cloud Logging using Admin Activity and Data Access Audit logs
    • VPC Flow logs and Firewall Rules logs help monitor traffic to and from Compute Engine instances.
    • log sinks can export data to external providers via Cloud Pub/Sub, BigQuery, Cloud Storage, or third-party SIEM solutions
    • Cloud Audit Logs include Admin Activity, Data Access, System Event, and Policy Denied audit logs
  • Google Security Operations (formerly Chronicle)
    • Cloud-native SIEM and SOAR platform for threat detection, investigation, and response
    • Built on Google infrastructure for petabyte-scale security telemetry analysis
    • Integrated with Security Command Center Enterprise tier
    • Note: There is a separate Professional Security Operations Engineer certification (launched Sept 2025) for deep SecOps specialization

All the Best !!

HashiCorp Terraform Associate Certification Path

📢 Exam Update Notice (January 2026)

The Terraform Associate (003) exam was retired on January 7, 2026. The new Terraform Associate (004) exam launched on January 8, 2026, aligned with Terraform v1.12 and HCP Terraform (formerly Terraform Cloud).

Key 004 Changes:

  • Reorganized into 8 objectives (previously 9 in 003)
  • New topics: import blocks, moved/removed blocks, check blocks, custom conditions, ephemeral values & write-only arguments
  • Terraform Cloud renamed to HCP Terraform throughout
  • terraform taint deprecated — replaced by terraform apply -replace
  • Enhanced coverage of HCP Terraform workspaces and projects

Note: IBM acquired HashiCorp (closed February 2025). Terraform’s license changed from MPL 2.0 to BSL 1.1 in August 2023 (v1.6+). OpenTofu is the community open-source fork under Linux Foundation.

If you are working on a multi-cloud environment and focusing on automation, you would surely have been using Terraform or considered it at some point of time. I have been using Terraform for over two years now for provisioning infrastructure on AWS, GCP and AliCloud right through development to production and it has been a wonderful DevOps journey and It was good to validate the Terraform skills through the Terraform Associate certification.

Terraform is for Cloud Engineers specializing in operations, IT, or development who know the basic concepts and skills associated with open source HashiCorp Terraform. As of 2024, Terraform is now licensed under BSL 1.1 and the managed cloud service is branded as HCP Terraform (formerly Terraform Cloud).

HashiCorp Certified Terraform Associate (004) Exam Summary

  • HashiCorp Certified Terraform Associate (004) exam focuses on Terraform Community Edition and HCP Terraform concepts
  • The exam has 57 questions with a time limit of 60 minutes
  • Exam has multiple answer, multiple choice, fill in the blanks and True/False type of questions
  • The exam is aligned with Terraform v1.12 and covers HCP Terraform features
  • Questions and answer options are pretty short and if you have experience on Terraform they are pretty easy and the time is more than sufficient.
  • The 004 exam has 8 objective domains (down from 9 in 003), with restructured and updated content

HashiCorp Certified Terraform Associate (004) Exam Topic Summary

Refer Terraform Cheat Sheet for details

1. Infrastructure as Code (IaC) with Terraform

  • Explain what IaC is
    • Infrastructure is described using a high-level configuration syntax (HCL – HashiCorp Configuration Language)
    • IaC allows Infrastructure to be versioned and treated as you would any other code.
    • Infrastructure can be shared and re-used.
  • Describe advantages of IaC patterns
    • makes Infrastructure more reliable
    • makes Infrastructure more manageable
    • makes Infrastructure more automated and less error prone
    • enables reproducibility and consistency across environments
  • Explain how Terraform manages multi-cloud, hybrid cloud, and service-agnostic workflows
    • using multi-cloud setup increases fault tolerance and reduces dependency on a single Cloud
    • Terraform provides a cloud-agnostic framework and allows a single configuration to be used to manage multiple providers, and to even handle cross-cloud dependencies.
    • Terraform simplifies management and orchestration, helping operators build large-scale multi-cloud infrastructures.

2. Terraform Fundamentals

  • Install and version Terraform providers
    • Providers provide abstraction above the upstream API and is responsible for understanding API interactions and exposing resources.
    • Terraform configurations must declare which providers they require, so that Terraform can install and use them
    • Provider requirements are declared in a required_providers block.
    • Terraform uses a dependency lock file (.terraform.lock.hcl) to track provider versions and ensure consistent installations.
  • Describe how Terraform uses providers (plugin-based architecture)
    • Terraform relies on plugins called “providers” to interact with remote systems.
    • Terraform finds and installs providers when initializing a working directory. It can automatically download providers from a Terraform registry, or load them from a local mirror or cache.
    • Each Terraform module must declare which providers it requires, so that Terraform can install and use them.
  • Write Terraform configuration using multiple providers
    • supports multiple provider instances using alias for e.g. multiple aws providers with different region
  • Explain how Terraform uses and manages state
    • State is a necessary requirement for Terraform to function.
    • Terraform requires some sort of database to map Terraform config to the real world.
    • Terraform uses its own state structure for mapping configuration to resources in the real world
    • Terraform state helps
      • track metadata such as resource dependencies.
      • provides performance as it stores a cache of the attribute values for all resources in the state
      • aids syncing when using in team with multiple users

3. Core Terraform Workflow

  • Describe Terraform workflow ( Write → Plan → Apply )
    • Core Terraform workflow has three steps:
      • Write – Author infrastructure as code.
      • Plan – Preview changes before applying.
      • Apply – Provision reproducible infrastructure.
  • Initialize a Terraform working directory terraform init
    • initializes a working directory containing Terraform configuration files.
    • performs backend initialization, modules and plugins installation.
    • providers are downloaded in the sub-directory of the present working directory at the path of .terraform/providers
    • creates a dependency lock file (.terraform.lock.hcl) to record provider versions
    • does not delete the existing configuration or state
  • Validate a Terraform configuration terraform validate
    • validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.
    • verifies whether a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state.
    • useful for general verification of reusable modules, including the correctness of attribute names and value types.
  • Generate and review an execution plan for Terraform terraform plan
    • terraform plan creates an execution plan as it traverses each vertex and requests each provider using parallelism
    • calculates the difference between the last-known state and the current state and presents this difference as the output of the terraform plan operation to user in their terminal
    • does not modify the infrastructure or state.
    • allows a user to see which actions Terraform will perform prior to making any changes to reach the desired state
    • performs refresh for each resource and might hit rate limiting issues as it calls provider APIs
    • all resources refresh can be disabled or avoided using
      • -refresh=false or
      • -target=xxxx or
      • break resources into different directories.
  • Apply changes to infrastructure with Terraform terraform apply
    • will always ask for confirmation before executing unless passed the -auto-approve flag.
    • if a resource successfully creates but fails during provisioning, Terraform will error and mark the resource as “tainted”. Terraform does not roll back the changes
    • supports -replace=ADDRESS flag to force recreation of a specific resource (replaces the deprecated terraform taint command)
  • Destroy Terraform managed infrastructure terraform destroy
    • will always ask for confirmation before executing unless passed the -auto-approve flag.
    • equivalent to terraform apply -destroy
  • Apply formatting and style adjustments terraform fmt
    • terraform fmt helps format code into a standard format. It usually aligns the spaces and matches the =
    • use -recursive flag to format files in subdirectories

4. Terraform Configuration

  • Use and differentiate resource and data configuration
    • Resources describe one or more infrastructure objects, such as virtual networks, instances, or higher-level components such as DNS records.
    • Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration. Use of data sources allows a Terraform configuration to make use of information defined outside of Terraform, or defined by another separate Terraform configuration.
  • Use resource addressing and resource parameters to connect resources together
  • Use variables and outputs
    • Variables
      • serve as parameters for a Terraform module and
      • act like function arguments
      • count is a reserved word and cannot be used as variable name
      • Variable precedence (highest to lowest): -var and -var-file on CLI → *.auto.tfvars → terraform.tfvars → Environment variables (TF_VAR_)
    • Output
      • are like function return values.
      • can be marked sensitive which prevents showing its value in the list of outputs. However, they are stored in the state as plain text.
  • Understand the use of collection and structural types
    • supports primitive data types of
      • string, number and bool
      • automatically convert number and bool values to string values
    • supports complex data types of
      • list – sequence of values identified by consecutive whole numbers starting with zero.
      • map – collection of values where each is identified by a string label
      • set – collection of unique values that do not have any secondary identifiers or ordering.
    • supports structural data types of
      • object – a collection of named attributes with their own type
      • tuple – a sequence of elements identified by consecutive whole numbers starting with zero, where each element has its own type.
  • Write dynamic configuration using expressions and functions
    • lookup retrieves the value of a single element from a map, given its key. If the given key does not exist, a the given default value is returned instead. lookup(map, key, default)
    • zipmap constructs a map from a list of keys and a corresponding list of values. zipmap(["a", "b"], [1, 2]) results into {"a" = 1, "b" = 2}
    • dynamic blocks act much like a for expression, but produce nested blocks instead of a complex typed value. It iterates over a given complex value, and generates a nested block for each element of that complex value.
    • Overuse of dynamic blocks is not recommended as it makes the code hard to understand and debug
  • Define resource dependencies in configuration
    • Terraform analyses any expressions within a resource block to find references to other objects and treats those references as implicit ordering requirements when creating, updating, or destroying resources.
    • Explicit dependency can be defined using the depends_on attribute where dependencies between resources that are not visible
    • Lifecycle meta-argument create_before_destroy ensures the replacement resource is created before the original is destroyed
  • Validate configuration using custom conditions (New in 004)
    • check blocks define assertions about infrastructure that run during plan and apply
    • Preconditions and postconditions can be added to resources and data sources using lifecycle blocks
    • Variable validation blocks allow custom validation rules for input variables
  • Understand best practices for managing sensitive data (New in 004)
    • Ephemeral values (Terraform 1.10+) are temporary values that are not persisted to state or plan files
    • Write-only arguments allow resource arguments to be set but never read back from state
    • Use HashiCorp Vault provider for dynamic secrets injection
    • Terraform has no mechanism to redact secrets returned via data sources — secrets are persisted into state
    • Protect state with encryption and proper access control using remote backends
  • Supports comments using #, // and /* */

5. Terraform Modules

  • Explain how Terraform sources modules
    • Terraform Module Registry allows you to browse, filter and search for modules
    • Modules can be sourced from: local paths, Terraform Registry, GitHub, Bitbucket, S3 buckets, GCS buckets, and generic git repos
  • Describe variable scope within modules/child modules
    • Modules are called from within other modules using module blocks
    • All modules require a source argument, which is a meta-argument defined by Terraform
    • Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without altering the module’s own source code
    • Resources defined in a module are encapsulated, so the calling module cannot access their attributes directly.
    • Child module can declare output values to selectively export certain values to be accessed by the calling module module.module_name.output_value
  • Use modules in configuration
    • To call a module means to include the contents of that module into the configuration with specific values for its input variables.
  • Manage module versions
    • must be on GitHub and must be a public repo, if using public registry.
    • must be named terraform-<PROVIDER>-<NAME>, where <NAME> reflects the type of infrastructure the module manages and <PROVIDER> is the main provider where it creates that infrastructure. for e.g. terraform-google-vault or terraform-aws-ec2-instance.
    • must maintain x.y.z tags for releases to identify module versions. Tags can optionally be prefixed with a v for example, v1.0.4 and 0.9.2. Tags that don’t look like version numbers are ignored.
    • must maintain a Standard module structure, which allows the registry to inspect the module and generate documentation, track resource usage, parse submodules and examples, and more.

6. Terraform State Management

  • Describe the local backend
    • A “backend” in Terraform determines how state is loaded and how an operation such as apply is executed.
    • determines how state is loaded and how an operation such as apply is executed
    • is responsible for storing state and providing an API for optional state locking
    • needs to be initialized
    • helps
      • collaboration and working as a team, with the state maintained remotely and state locking
      • can provide enhanced security for sensitive data
      • support remote operations
    • local (default) backend stores state in a local JSON file on disk
  • Describe state locking
    • happens for all operations that could write state, if supported by backend
    • prevents others from acquiring the lock & potentially corrupting the state
    • use force-unlock command to manually unlock the state if unlocking failed
    • backends which support state locking include:
      • AWS S3 — now supports native S3 state locking (Terraform 1.10+, Nov 2024) without DynamoDB. Legacy DynamoDB-based locking is being deprecated.
      • azurerm
      • Google Cloud Storage (GCS)
      • HashiCorp Consul
      • Kubernetes Secret with locking done using a Lease resource
      • PostgreSQL
      • HCP Terraform / Terraform Enterprise
      • HTTP endpoints
  • Configure remote state using the backend block
    • Backend configuration doesn’t support interpolations.
    • supports partial configuration with remaining configuration arguments provided as part of the initialization process
    • if switching the backend for the first time setup, Terraform provides a migration option
    • remote backend stores state remotely like S3, GCS, Consul and supports features like remote operation, state locking, encryption, versioning etc.
  • Manage resource drift and Terraform state
    • terraform plan -refresh-only (preferred) or terraform refresh (legacy) is used to reconcile the state Terraform knows about with the real-world infrastructure.
    • can be used to detect any drift from the last-known state, and to update the state file.
    • does not modify infrastructure but does modify the state file.
    • moved blocks (Terraform 1.1+) — refactor resources (rename, move to/from modules) without destroying and recreating them
    • removed blocks (Terraform 1.7+) — remove resources from state without destroying the actual infrastructure
    • Use terraform state command for advanced state management:
      • mv – to move/rename modules
      • rm – to safely remove resource from the state
      • pull – to observe current remote state
      • list & show – to view state resources
  • Handle backend authentication methods
    • every remote backend supports different authentication mechanisms and can be configured with the backend configuration

7. Maintain Infrastructure with Terraform

  • Import existing infrastructure into your Terraform workspace
    • terraform import (CLI command) helps import already-existing external resources into Terraform state
    • import blocks (Terraform 1.5+) — declarative import that can generate configuration. Preferred over CLI import.
    • Run terraform plan -generate-config-out=generated.tf to auto-generate configuration for imported resources
  • Use the CLI to inspect state
    • terraform state list — list resources in state
    • terraform state show — show attributes of a single resource
    • recommended not to edit the state manually
  • Describe when and how to use verbose logging
    • debugging can be controlled using TF_LOG, which can be configured for different levels TRACE, DEBUG, INFO, WARN or ERROR, with TRACE being the most verbose.
    • logs path can be controlled using TF_LOG_PATH. TF_LOG needs to be specified.
    • Separate core and provider logs with TF_LOG_CORE and TF_LOG_PROVIDER
  • Given a scenario: choose when to use terraform workspace to create workspaces
    • Terraform workspace helps manage multiple distinct sets of infrastructure resources or environments with the same code.
    • state files for each workspace are stored in the directory terraform.tfstate.d
    • terraform workspace new dev creates a new workspace with name dev and switches to it as well
    • does not provide strong separation as it uses the same backend
  • Understand provisioners (use as last resort)
    • Terraform provides local-exec and remote-exec provisioners
      • local-exec executes code on the machine running terraform
      • remote-exec executes on the resource provisioned and supports ssh and winrm
    • Provisioners should only be used as a last resort — HashiCorp strongly recommends alternatives like cloud-init, user_data, or configuration management tools
    • Vendor-specific provisioners (Chef, Puppet, Habitat, Salt) were removed in Terraform 0.15+
    • are defined within the resource block.
    • support types – Create and Destroy
      • if creation time fails, resource is tainted if provisioning failed, by default. (next apply it will be re-created)
      • behavior can be overridden by setting the on_failure to continue
      • for destroy, if it fails – resources are not removed
  • Force resource recreation (terraform taint deprecated)
    • terraform taintDEPRECATED since Terraform v0.15.2. Do not use.
    • Use terraform apply -replace="aws_instance.example" instead — this is safer as the replacement is part of the plan and visible before applying

8. HCP Terraform (formerly Terraform Cloud)

  • Use HCP Terraform to create infrastructure
    • HCP Terraform (renamed from Terraform Cloud in April 2024) provides remote state management, remote operations, and team collaboration
    • Supports VCS-driven, CLI-driven, and API-driven workflows
    • Remote operations allow terraform plan and apply to run in HCP Terraform’s managed environment
  • Describe HCP Terraform collaboration and governance features
    • HCP Terraform provides a private module registry for storing modules private to the organization
    • Policy enforcement — supports Sentinel and OPA (Open Policy Agent) for policy-as-code
    • Drift detection — automatically detects when real infrastructure diverges from state
    • Change requests — review and approval workflows for infrastructure changes
    • Teams and permissions — role-based access control for workspaces
    • Run tasks — integrate third-party tools into the run workflow
  • Describe how to organize and use HCP Terraform workspaces and projects (New in 004)
    • Projects — group related workspaces together for easier management and access control
    • Variable sets — share variables across multiple workspaces
    • Run triggers — create dependencies between workspaces so changes propagate
    • Workspaces in HCP Terraform are different from CLI workspaces — each has its own state, variables, and team access
  • Configure and use HCP Terraform integration
    • Use the cloud block in configuration to connect to HCP Terraform (replaces legacy remote backend)
    • terraform login authenticates with HCP Terraform
    • State can be migrated from local/other backends to HCP Terraform
  • Differentiate Terraform editions
    • Terraform Community Edition (open-source, BSL 1.1 licensed) — single-user CLI workflow
    • HCP Terraform (SaaS) — remote operations, collaboration, governance. Free tier available.
    • Terraform Enterprise — self-hosted version of HCP Terraform for air-gapped/on-premises deployments

Key Terraform Features by Version (2023-2026)

Version Release Key Features
1.5 Jun 2023 import blocks, check blocks, config-driven import
1.6 Oct 2023 terraform test framework, BSL 1.1 license change
1.7 Jan 2024 removed blocks, provider-defined functions
1.8 Apr 2024 Provider-defined functions GA, backend improvements
1.9 Jun 2024 Input variable validation improvements, templatestring function
1.10 Nov 2024 Ephemeral values, write-only arguments, S3 native state locking
1.11 Feb 2025 Stability improvements and bug fixes
1.12 2025 Exam 004 target version, enhanced ephemeral resources

HashiCorp Certified Terraform Associate Exam Resources

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Learning Path

AWS Certified Alexa Skill Builder - Specialty Certificate

⚠️ CERTIFICATION RETIRED

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) was retired on March 23, 2021.

The last day to take this exam was March 22, 2021. Certifications earned prior to retirement remained active for the standard three-year period but have now all expired.

This content is maintained for historical reference and for those interested in Alexa skill development concepts.

Recommended Current AWS Certifications:

📢 Alexa Ecosystem Update (2024-2026)

  • Alexa+ – Amazon launched its next-generation AI-powered assistant (Alexa+) in February 2026, free for Prime members. It represents a major shift from the traditional skills-based model to conversational AI.
  • Developer Program Changes – Amazon ended the Alexa Developer Rewards Program and AWS Promotional Credits for Alexa in June 2024.
  • Deprecated Features – Multiple Alexa features have been deprecated including A/B testing (Aug 2025), Alexa Routines Kit (May 2026), and EventDetectionSensor (Feb 2023).
  • The Alexa Skills Kit remains available for developers, but the ecosystem focus has shifted significantly toward generative AI capabilities.

Finally All Down for AWS (for now) …

Continuing on my AWS journey with the last AWS certification, I took another step by clearing the AWS Certified Alexa Skill Builder – Specialty (AXS-C01) certification. It is amazing to know and learn how Voice first experiences are making an impact and changing how we think about technology and use cases.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) exam basically validates your ability to build, test, publish and certify Alexa skills.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Summary

  • AWS Certified Alexa Skill Builder – Specialty exam focuses only on Alexa and how to build skills.
  • AWS Certified Alexa Skill Builder – Specialty exam has 65 questions with a time limit of 170 minutes
  • Compared to the other professional and specialty exams, the question and answers are not long and similar to associate exams. So if you are prepared well, it should not need the 170 minutes.
  • As the exam was online from home, there was no access to paper and pen but the trick remains the same, read the question and draw a rough architecture and focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach to the right answer or atleast have a 50% chance of getting it right.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Topic Summary

Refer AWS Alexa Cheat Sheet

Domain 1: Voice-First Design Practices and Capabilities

1.1 Describe how users interact with skills

1.2 Map features and capabilities to use cases

  • Alexa supports display cards to display text (Simple card) and text with image (Standard card)
  • Alexa Alexa Skill Kits supports APIs
    • Alexa Settings APIs allow developers to retrieve customer preferences for the settings like time zone, distance measuring unit, and temperature measurement unit
    • Device services – a skill can request the customer’s permission to their address information, which is a static data filled by customer and includes the country/region, postal code and full address
    • Customer Profile services – a skill can request the customer’s permission to their contact information, which includes name, email address and phone number
    • With Location services, a skill can ask a user’s permission to obtain the real-time location of their Alexa-enabled device, specifically at the time of the user’s request to Alexa, so that the skill can provide enhanced services.
  • Alexa Skill Kit APIs need apiAccessToken and deviceId to access the ASK APIs
  • Progressive Response API allows you to keep the user engaged while the skill prepares a full response to the user’s request.
  • Personalization can be provided using userId and state persistence

Domain 2: Skill Design

2.1 Design and develop an interaction model

  • Alexa interaction model includes skill, Invocation name, utterances, slots, Intents
  • A skill is ‘an app for Alexa’, however they are not downloadable but just need to be enabled.
  • Wakeword – Amazon offers a choice of wakewords like ‘Alexa’, ‘Amazon’, ‘Echo’, ‘skill’, ‘app’ or ‘Computer’, with the default being ‘Alexa’.
  • Launch phrases include “run,” “start,” “play,” “resume,” “use,” “launch,” “ask,” “open,” “tell,” “load,” “begin,” and “enable.”
  • Connecting words include “to,” “from,” “in,” “using,” “with,” “about,” “for,” “that,” “by,” “if,” “and,” “whether.”
  • Invocation name
    • is the word or phrase used to trigger the skill for custom skills and the invocation name should adhere to the requirements
    • must not infringe upon the intellectual property rights of an entity or person
    • must be compound of two or more works.
    • One-word invocation names are allowed only for brand/intellectual property.
    • must not include names of people or places
    • if two-word invocation names, one of the words cannot be a definite article (“the”), indefinite article (“a”, “an”) or preposition (“for”, “to”, “of,” “about,” “up,” “by,” “at,” “off,” “with”).
    • must not contain any of the Alexa skill launch phrases, connecting words and wake words
    • must contain only lower-case alphabetic characters, spaces between words, and possessive apostrophes
    • must spell characters like numbers for e.g., twenty one
    • can have periods in the invocation names containing acronyms or abbreviations that are pronounced as a series of individual letters, for e.g. NASA as n. a. s. a.
    • cannot spell out phonemes for e.g., a skill titled “AWS Facts” would need “AWS” represented as “a. w. s. ” and NOT “ay double u ess.”
    • must not create confusion with existing Alexa features.
    • must be written in each supported language
  • An intent is what a user is trying to accomplish.
    • Amazon provides standard built-in intents which can be extended
    • Intents need to have a unique utterance
  • Utterances are the specific phrases that people will use when making a request to Alexa.
  • A slot is a variable that relates to an intent allowing Alexa to understand information about the request
    • Amazon provides standard built-in slots which can be extended
  • Entity resolution improves the way Alexa matches possible slot values in a user’s utterance with the slots defined in your interaction model

2.2 Design a multi-turn conversation

  • Alexa Dialog management model identifies the prompts and utterances to collect, validate, and confirm the slot values and intents.
  • Alexa supports
    • Auto Delegation where Alexa completes all of the dialog steps based on the dialog model.
    • Manual delegation using Dialog.Delegate where Alexa sends the skill an IntentRequest for each turn of the conversation and provides more flexibility.
  • AMAZON.FallbackIntent will not be triggered in the middle of a dialog

2.3 Use built-in intents and slots

  • Standard built-in intents cannot include any slots. If slots are needed, create a custom intent and write your own sample utterances.
  • Alexa recommends using and extending standard built-in intents like Alexa.HelpIntent, Alexa.YesIntent with additional utterances as per the skill requirements
  • Alexa provides Alexa.FallbackIntent for handling any unmatched utterances and can be used to improve the interaction model accuracy.
  • Standard built-in intents cannot include any slots. If slots are needed, create a custom intent and write your own sample utterances.
  • Alexa provides slot which helps capture variables and can be either be a Amazon predefined slot such as dates, numbers, durations, time, etc. or a custom one specific to the skill
  • Predefined slots can be extended to add additional values

2.4 Handle unexpected conversational requests or responses

  • Alexa provides Alexa.FallbackIntent for handling any unmatched utterances and can be used to improve the interaction model accuracy.
  • Alexa also provides Intent History which provides a consolidate view with aggregated, anonymized frequent utterances and the resolved intents. These can be used to map the utterances to correct intents

2.5 Design multi-modal skills using one or more service interfaces (for example, audio, video, and gadgets)

  • Alexa enabled devices with a screen handles Page and Scroll intents. Do not handle Next and Previous.
  • Alexa skill with AudioPlayer interface
    • must handle AMAZON.ResumeIntent and AMAZON.PauseIntent
    • PlaybackController events to track AudioPlayer status changes initiated from the device buttons

Domain 3: Skill Architecture

3.1 Identify AWS services for extending Alexa skill functionality (Amazon CloudFront, Amazon S3, Amazon CloudWatch, and Amazon DynamoDB)

  • Focus on standard skill architecture using Lambda for backend, DynamoDB for persistence, S3 for severing static assets, and CloudWatch for monitoring and logs.
  • Lambda provide serverless handling for the Alexa requests, but remember the following limits
    • default concurrency soft limit of 1000 can be increased by raising a support request
    • default timeout of 3 secs, and should be increased to atleast 7 secs to be inline with Alexa timeout of 8 secs
    • default memory of 128mb, increase to improve performance
  • S3 performance can be improved by exposing it through CloudFront esp. for images, audio and video files

3.2 Use AWS Lambda to build Alexa skills

  • Lambda integrates with CloudWatch to provide logs and should be the first thing to check in case of any issues or errors.
  • Alexa allows any http endpoint to act as a backend, but needs to meet following requirements
    • must be accessible over the internet.
    • must accept HTTP requests on port 443.
    • must support HTTP over SSL/TLS, using an Amazon-trusted certificate.

3.3 Follow AWS and Alexa security and privacy best practices

  • Alexa requires the backend to verify that incoming requests come from Alexa using Skill ID verification
  • Child-directed skills cannot use personal and location information
  • Skills cannot be used to capture health information
  • Alexa Skills Kit uses the OAuth 2.0 authentication framework for Account linking, which defines a means by which the service can allow Alexa, with the user’s permission, to access information from the account that the user has set up with you.
  • Alexa smart home skills must have OAuth authorization code grant implementation while custom skills can have authorization code grant or impact grant implementation.

Domain 4: Skill Development

4.1 Implement in-skill purchasing and Amazon Pay for Alexa Skills

  • In-skill purchasing enables selling premium content such as game features and interactive stories in skills with a custom interaction model.
  • In-skill purchasing is handled by Alexa when the skill sends a Upsell directive. As the skill session ends when a Upsell directive is sent, be sure to save any relevant user data in a persistent data store so that the skill can continue where the user left off after the purchase flow is completed and the endpoint is back in control of the user experience.
  • Skill can handle the Connections.Response request that indicates the result of a purchase flow and resume the skill

4.2 Use Speech Synthesis Markup Language (SSML) for expression and MP3 audio

  • SSML is a markup language that provides a standard way to mark up text for the generation of synthetic speech.
  • Alexa supports a subset of SSML tags including
    • say-as to interpret text as telephone, date, time etc.
    • phonemeprovides a phonemic/phonetic pronunciation
    • prosody modifies the volume, pitch, and rate of the tagged speech.
    • audioallows playing MP3 player while rendering a response
      • must be in valid MP3 file (MPEG version 2) format
      • must be hosted at an Internet-accessible HTTPS endpoint.
      • For speech response, the audio file cannot be longer than 240 seconds.
        • combined total time for all audio files in the outputSpeech property of the response cannot be more than 240 seconds.
        • combined total time for all audio files in the reprompt property of the response cannot be more than 90 seconds.
      • bit rate must be 48 kbps.
      • sample rate must be 22050Hz, 24000Hz, or 16000Hz.

4.3 Implement state management

  • Alexa Skill state persistence can be handled using session attributes during the session and externally using services like DynamoDB, RDS across sessions.

4.4 Implement Alexa service interfaces (audio player, video player, and screens)

4.5 Parse Alexa JSON requests and provide responses

  • All requests include the session (optional), context, and request objects at the top level.
    • session object provides additional context associated with the request.
      • session attributes can be used to store data
      • user containing userId to uniquely define an user and accessToken to access other services.
      • system object provides apiAccessToken and device object provides deviceId to access ASK APIs
      • application provide applicationId
      • device object provides supportedInterfaces to list each interface that the device supports
      • user containing userId to uniquely define an user and accessToken to access other services.
    • A request object that provides the details of the user’s request.
  • Response includes
    • outputSpeech contains the speech to render to the user.
    • reprompt contains the outputSpeech to use if a re-prompt is necessary.
    • shouldEndSession provides a boolean value that indicates what should happen after Alexa speaks the response.

Domain 5: Test, Validate, and Troubleshoot

5.1 Debug and troubleshoot using Amazon CloudWatch or other tools

  • Lambda integrates with CloudWatch for metric and logs and can be check for any errors and metrics.

5.2 Use the Alexa developer testing tools

  • Utterance profiles – test utterances to know what intent they resolve to
  • Alexa Skill simulator
    • provides an ability to Interact with Alexa with either your voice or text, without an actual device.
    • maintains the skill session, so the interaction model and dialog flow can be tested.
    • supports multiple languages testing by selecting locale
    • has limitations in testing audio, video, Alexa settings and Device API
  • Manual Json
    • enter a JSON request directly and see the skill returned JSON response
    • does not maintain the skill session and is similar to testing a JSON request in the Lambda console.
  • Voice & Tone – enter plain text or SSML and hear how Alexa speaks the text in a selected language
  • Alexa device – test with an Alexa-enabled device.
  • Alexa app – test the skill with the Alexa app for Android/iOS
  • Lambda Test console – to test Lambda functions

5.3 Perform beta testing

  • Skill beta testing tool can be used to test the Alexa skill in beta before releasing it to production
  • Beat testing allows testing changes to an existing skill, while still keeping the currently live version of the skill available for the general public.
  • Members can be invited using their Alexa email address. Alexa device used by the beta tester must be associated with the email address in the tester’s invitation.

5.4 Troubleshoot errors in the interaction model

Domain 6: Publishing, Operations, and Lifecycle Management

6.1 Describe the skill publishing process

  • Alexa skill needs to go through certification process before the Skill is live and made available to the users
  • Alexa creates an in development version of the skill, once the skill becomes live
  • Alexa Skill live version cannot be edited, and it is recommended to edit the in development skill, test and then re-certify for publishing.
  • Backend changes like changes in Lambda functions or response output from the function, however, can be made on live version and do not require re-certification. However, it is recommended to use Lambda versioning or alias to do such changes.
  • Alexa for Business allows skill to be made private and available to select users within the company

6.2 Add and remove users in the developer console

  • Alexa Skill Developer console access can be shared across multiple users for collaboration
  • Administrator and Analyst roles will also have access to the Earnings and Payments sections.
  • Administrator and Marketer roles will also have access to edit the content associated with apps (i.e. Descriptions, Images & Multimedia) and IAPs
  • Administrator and Developer roles will have access to create, modify and delete Alexa skills using ASK CLI and SMAPI.
  • Administrator, Analyst and Marketer roles have access to sales report

6.3 Perform analysis of skill analytics in the developer console

  • Intent History – View aggregated, anonymized frequent utterances and the resolved intents. You cannot track the user intent history as they are anonymized.
  • Actions – Unique customers per action, total actions, and total utterances per action.
  • Customers – Total number of unique customers who accessed the skill.
  • Intents – Unique customers per intent, total utterances per intent, total intents, and failed intents.
  • Interaction Path – Paths users take when interacting with the skill.
  • Plays Total number of times that a user played the skill content.
  • Retention (live skills only) Usage of the skill over time by groups of customers or cohorts. View the number or percentage of customers who returned to your skill over a 12-week period.
  • Sessions Total sessions, successful session types (sessions that didn’t end due to an error), average sessions per customer. Includes a breakdown of successful, failed, and no-response sessions as a percentage of total sessions. Custom
  • Utterances Metrics for utterances depend on the skill category.

6.4 Differentiate among the statuses/versions of skills (for example, In Development, In Certification, and Live)

  • In Development – skill available for development, testing
  • In Review – A certification review is in progress and the skill cannot be edited
  • Certified – Skill passed certification review, and is not yet available to users
  • Live – skill has been published and is available to users. You cannot edit the configuration for live skills
  • Hidden – skill was previously published, but has since been hidden. Existing users can access the skill. New users cannot discover the skill.
  • Removed – skill was previously published, but has since been removed. Users cannot enable or use the skill.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Resources

Recommended Current AWS Certifications

Since the Alexa Skill Builder certification has been retired, consider these current AWS certifications that cover related domains:

Certification Focus Area Relevance
AWS Certified AI Practitioner (AIF-C01) AI/ML fundamentals, Generative AI Covers AI services including Amazon Lex (conversational interfaces)
AWS Certified ML Engineer – Associate ML model building and deployment NLP, speech processing, conversational AI models
AWS Certified Developer – Associate (DVA-C02) Application development on AWS Lambda, DynamoDB, API Gateway – same services used in Alexa skills
AWS Certified Generative AI Developer – Professional Building generative AI applications Next-gen conversational AI, Amazon Bedrock, LLM-powered apps

Alexa Development Resources (Current)

While the certification is retired, Alexa skill development continues. Here are current resources:

AWS Certified Solutions Architect – Associate SAA-C02 Exam Learning Path

SAA-C02 Certification

⚠️ EXAM RETIRED – SAA-C02 No Longer Available

AWS Solutions Architect – Associate SAA-C02 exam was retired on August 29, 2022 and has been replaced by the SAA-C03 exam.

This content is maintained for historical reference only. If you are preparing for the AWS Solutions Architect – Associate certification, please refer to the current exam version.

👉 AWS Certified Solutions Architect – Associate SAA-C03 Exam Learning Path

Key differences in SAA-C03:

  • Reorganized into 4 domains: Secure Architectures (30%), Resilient Architectures (26%), High-Performing Architectures (24%), Cost-Optimized Architectures (20%)
  • Increased emphasis on security (now the highest-weighted domain)
  • Added modern services: AWS Transfer Family, AWS DataSync, Amazon EventBridge, AWS Transit Gateway, AWS Network Firewall, Amazon EKS/Fargate
  • Greater focus on serverless, containers, and multi-account architectures
  • Sustainability considerations added

AWS Certified Solutions Architect – Associate SAA-C02 Exam Learning Path

[HISTORICAL REFERENCE – Exam Retired August 29, 2022]

AWS Solutions Architect – Associate SAA-C02 exam was the AWS certification exam that replaced the previous SAA-C01 and was itself replaced by the current SAA-C03 exam on August 30, 2022. It validated the ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies.

  • Define a solution using architectural design principles based on customer requirements.
  • Provide implementation guidance based on best practices to the organization throughout the life cycle of the project.

AWS Solutions Architect – Associate SAA-C02 Exam Summary

  • SAA-C02 exam consisted of 65 questions in 130 minutes.
  • SAA-C02 Exam covered the architecture aspects in deep, focusing on how to visualize the architecture and how different services relate.
  • AWS updated the exam concepts from the focus being on individual services to more building of scalable, highly available, cost-effective, performant, resilient architectures.
  • If you had been preparing for the SAA-C01 –
    • SAA-C02 was pretty much similar to SAA-C01 except the operational effective architecture domain was dropped
    • Most of the services and concepts covered by the SAA-C01 were the same. There were few new additions like Aurora Serverless, AWS Global Accelerator, FSx for Windows, FSx for Lustre

AWS Solutions Architect – Associate SAA-C02 Exam Resources

Note: These resources are outdated. For current SAA-C03 preparation resources, visit the SAA-C03 Exam Learning Path.

AWS Solutions Architect – Associate SAA-C02 Exam Topics

Note: These topics are for the retired SAA-C02 exam. For current exam topics, refer to the SAA-C03 Exam Learning Path.

Networking

  • Be sure to create VPC from scratch. This is mandatory.
    • Create VPC and understand whats a CIDR and addressing patterns
    • Create public and private subnets, configure proper routes, security groups, NACLs. (hint: Subnets are public or private depending on whether they can route traffic directly through Internet gateway)
    • Create Bastion for communication with instances
    • Create NAT Gateway or Instances for instances in private subnets to interact with internet
    • Create two tier architecture with application in public and database in private subnets
    • Create three tier architecture with web servers in public, application and database servers in private. (hint: focus on security group configuration with least privilege)
    • Make sure to understand how the communication happens between Internet, Public subnets, Private subnets, NAT, Bastion etc.
  • Understand difference between Security Groups and NACLs (hint: Security Groups are Stateful vs NACLs are stateless. Also only NACLs provide an ability to deny or block IPs)
  • Understand VPC endpoints and what services it can help interact (hint: VPC Endpoints routes traffic internally without Internet)
    • VPC Gateway Endpoints supports S3 and DynamoDB.
    • VPC Interface Endpoints OR Private Links supports others
  • Understand difference between NAT Gateway and NAT Instance (hint: NAT Gateway is AWS managed and is scalable and highly available)
  • Understand how NAT high availability can be achieved (hint: provision NAT in each AZ and route traffic from subnets within that AZ through that NAT Gateway)
  • Understand VPN and Direct Connect for on-premises to AWS connectivity
    • VPN provides quick connectivity, cost-effective, secure channel, however routes through internet and does not provide consistent throughput
    • Direct Connect provides consistent dedicated throughput without Internet, however requires time to setup and is not cost-effective
  • Understand Data Migration techniques
    • Choose Snowball vs Snowmobile vs Direct Connect vs VPN depending on the bandwidth available, data transfer needed, time available, encryption requirement, one-time or continuous requirement
    • Snowball, SnowMobile are for one-time data, cost-effective, quick and ideal for huge data transfer
    • Direct Connect, VPN are ideal for continuous or frequent data transfers
  • Understand CloudFront as CDN and the static and dynamic caching it provides, what can be its origin (hint: CloudFront can point to on-premises sources and its usecases with S3 to reduce load and cost)
  • Understand Route 53 for routing
    • Understand Route 53 health checks and failover routing
    • Understand Route 53 Routing Policies it provides and their use cases mainly for high availability (hint: focus on weighted, latency, geolocation, failover routing)
  • Be sure to cover ELB concepts in deep.
    • SAA-C02 focuses on ALB and NLB and does not cover CLB
    • Understand differences between CLB vs ALB vs NLB
      • ALB is layer 7 while NLB is layer 4
      • ALB provides content based, host based, path based routing
      • ALB provides dynamic port mapping which allows same tasks to be hosted on ECS node
      • NLB provides low latency and ability to scale
      • NLB provides static IP address

Security

  • Understand IAM as a whole
    • Focus on IAM role (hint: can be used for EC2 application access and Cross-account access)
    • Understand IAM identity providers and federation and use cases
    • Understand MFA and how would implement two factor authentication for an application
    • Understand IAM Policies (hint: expect couple of questions with policies defined and you need to select correct statements)
  • Understand encryption services
  • AWS WAF integrates with CloudFront to provide protection against Cross-site scripting (XSS) attacks. It also provides IP blocking and geo-protection.
  • AWS Shield integrates with CloudFront to provide protection against DDoS.
  • Refer Disaster Recovery whitepaper, be sure you know the different recovery types with impact on RTO/RPO.

Storage

  • Understand various storage options S3, EBS, Instance store, EFS, Glacier, FSx and what are the use cases and anti patterns for each
  • Instance Store
    • Understand Instance Store (hint: it is physically attached to the EC2 instance and provides the lowest latency and highest IOPS)
  • Elastic Block Storage – EBS
    • Understand various EBS volume types and their use cases in terms of IOPS and throughput. SSD for IOPS and HDD for throughput
    • Understand Burst performance and I/O credits to handle occasional peaks
    • Understand EBS Snapshots (hint: backups are automated, snapshots are manual)
  • Simple Storage Service – S3
    • Cover S3 in depth
    • Understand S3 storage classes with lifecycle policies
      • Understand the difference between S3 Standard vs S3 IA vs S3 IA One Zone in terms of cost and durability
    • Understand S3 Data Protection (hint: S3 Client side encryption encrypts data before storing it in S3)
    • Understand S3 features including
      • S3 provides a cost effective static website hosting
      • S3 versioning provides protection against accidental overwrites and deletions
      • S3 Pre-Signed URLs for both upload and download provides access without needing AWS credentials
      • S3 CORS allows cross domain calls
      • S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
    • Understand Glacier as an archival storage with various retrieval patterns
    • Glacier Expedited retrieval allows object retrieval within mins
  • Understand Storage gateway and its different types.
    • Cached Volume Gateway provides access to frequently accessed data, while using AWS as the actual storage
    • Stored Volume gateway uses AWS as a backup, while the data is being stored on-premises as well
    • File Gateway supports SMB protocol
  • Understand FSx easy and cost effective to launch and run popular file systems.
  • Understand the difference between EBS vs S3 vs EFS
    • EFS provides shared volume across multiple EC2 instances, while EBS can be attached to a single volume within the same AZ.
  • Understand the difference between EBS vs Instance Store
  • Would recommend referring Storage Options whitepaper, although a bit dated 90% still holds right

Compute

  • Understand Elastic Cloud Compute – EC2
  • Understand Auto Scaling and ELB, how they work together to provide High Available and Scalable solution. (hint: Span both ELB and Auto Scaling across Multi-AZs to provide High Availability)
  • Understand EC2 Instance Purchase Types – Reserved, Scheduled Reserved, On-demand and Spot and their use cases
    • Choose Reserved Instances for continuous persistent load
    • Choose Scheduled Reserved Instances for load with fixed scheduled and time interval
    • Choose Spot instances for fault tolerant and Spiky loads
    • Reserved instances provides cost benefits for long terms requirements over On-demand instances
    • Spot instances provides cost benefits for temporary fault tolerant spiky load
  • Understand EC2 Placement Groups (hint: Cluster placement groups provide low latency and high throughput communication, while Spread placement group provides high availability)
  • Understand Lambda and serverless architecture, its features and use cases. (hint: Lambda integrated with API Gateway to provide a serverless, highly scalable, cost-effective architecture)
  • Understand ECS with its ability to deploy containers and micro services architecture.
    • ECS role for tasks can be provided through taskRoleArn
    • ALB provides dynamic port mapping to allow multiple same tasks on the same node
  • Know Elastic Beanstalk at a high level, what it provides and its ability to get an application running quickly.

Databases

  • Understand relational and NoSQL data storage options which include RDS, DynamoDB, Aurora and their use cases
  • RDS
    • Understand RDS features – Read Replicas vs Multi-AZ
      • Read Replicas for scalability, Multi-AZ for High Availability
      • Multi-AZ are regional only
      • Read Replicas can span across regions and can be used for disaster recovery
    • Understand Automated Backups, underlying volume types
  • Aurora
    • Understand Aurora
      • provides multiple read replicas and replicates 6 copies of data across AZs
    • Understand Aurora Serverless provides a highly scalable cost-effective database solution
  • DynamoDB
    • Understand DynamoDB with its low latency performance, key-value store (hint: DynamoDB is not a relational database)
    • DynamoDB DAX provides caching for DynamoDB
    • Understand DynamoDB provisioned throughput for Read/Writes
  • Know ElastiCache use cases, mainly for caching performance

Integration Tools

  • Understand SQS as message queuing service and SNS as pub/sub notification service
  • Understand SQS features like visibility, long poll vs short poll
  • Focus on SQS as a decoupling service
  • Understand SQS Standard vs SQS FIFO difference (hint: FIFO provides exactly once delivery but low throughput)

Analytics

  • Know Redshift as a business intelligence tool
  • Know Kinesis for real time data capture and analytics
  • Know what AWS Glue does, so you can eliminate the answer

Management Tools

  • Understand CloudWatch monitoring to provide operational transparency
  • Know which EC2 metrics it can track. Remember, it cannot track memory and disk space/swap utilization
  • Understand CloudWatch is extendable with custom metrics
  • Understand CloudTrail for Audit
  • Have a basic understanding of CloudFormation, OpsWorks

AWS Whitepapers & Cheat sheets

AWS Solutions Architect – Associate SAA-C02 Exam Domains

Note: SAA-C03 has reorganized these into 4 domains with different weightings. See the SAA-C03 Exam Learning Path for current domains.

Domain 1: Design Resilient Architectures

  1. Design a multi-tier architecture solution
  2. Design highly available and/or fault-tolerant architectures
  3. Design decoupling mechanisms using AWS services
  4. Choose appropriate resilient storage

Domain 2: Define High-Performing Architectures

  1. Identify elastic and scalable compute solutions for a workload
  2. Select high-performing and scalable storage solutions for a workload
  3. Select high-performing networking solutions for a workload
  4. Choose high-performing database solutions for a workload

Domain 3: Specify Secure Applications and Architectures

  1. Design secure access to AWS resources
  2. Design secure application tiers
  3. Select appropriate data security options

Domain 4: Design Cost-Optimized Architectures

  1. Determine how to design cost-optimized storage.
  2. Determine how to design cost-optimized compute.

AWS Certified Big Data -Speciality (BDS-C00) Exam Learning Path

⚠️ CERTIFICATION RETIRED

AWS Certified Big Data – Specialty (BDS-C00) was retired on July 1, 2020.

It was replaced by AWS Certified Data Analytics – Specialty (DAS-C01), which was itself retired on April 9, 2024.

The current replacement certification is:

This content is maintained for historical reference only. For current exam preparation, see the AWS Certified Data Engineer – Associate Exam Learning Path.

Clearing the AWS Certified Big Data – Speciality (BDS-C00) was a great feeling. This was my third Speciality certification and in terms of the difficulty level (compared to Network and Security Speciality exams), I would rate it between Network (being the toughest) Security (being the simpler one).

Big Data in itself is a very vast topic and with AWS services, there is lots to cover and know for the exam. If you have worked on Big Data technologies including a bit of Visualization and Machine learning, it would be a great asset to pass this exam.

AWS Certified Big Data – Speciality (BDS-C00) exam basically validates

  • Implement core AWS Big Data services according to basic architectural best practices
  • Design and maintain Big Data
  • Leverage tools to automate Data Analysis

Refer AWS Certified Big Data – Speciality Exam Guide for details

AWS Certified Big Data – Speciality Domains

AWS Certified Big Data – Speciality (BDS-C00) Exam Summary

  • AWS Certified Big Data – Speciality exam, as its name suggests, covers a lot of Big Data concepts right from data transfer and collection techniques, storage, pre and post processing, analytics, visualization with the added concepts for data security at each layer.
  • One of the key tactic I followed when solving any AWS Certification exam is to read the question and use paper and pencil to draw a rough architecture and focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach to the right answer or atleast have a 50% chance of getting it right.
  • Be sure to cover the following topics
    • Whitepapers and articles
    • Analytics
      • Make sure you know and cover all the services in depth, as 80% of the exam is focused on these topics
      • Elastic Map Reduce
        • Understand EMR in depth
        • Understand EMRFS (Note: EMRFS Consistent View reached end of support on June 1, 2023. Since December 2020, Amazon S3 provides strong read-after-write consistency natively, making Consistent View unnecessary.)
        • Know EMR Best Practices (hint: start with many small nodes instead on few large nodes)
        • Know Hive can be externally hosted using RDS, Aurora and AWS Glue Data Catalog
        • Know also different technologies
          • Presto is a fast SQL query engine designed for interactive analytic queries over large datasets from multiple sources
          • D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS
          • Spark is a distributed processing framework and programming model that helps do machine learning, stream processing, or graph analytics using Amazon EMR clusters
          • Zeppelin/Jupyter as a notebook for interactive data exploration and provides open-source web application that can be used to create and share documents that contain live code, equations, visualizations, and narrative text
          • Phoenix is used for OLTP and operational analytics, allowing you to use standard SQL queries and JDBC APIs to work with an Apache HBase backing store
      • Kinesis
        • Understand Kinesis Data Streams and Kinesis Data Firehose in depth
        • Know Kinesis Data Streams vs Kinesis Firehose
          • Know Kinesis Data Streams is open ended on both producer and consumer. It supports KCL and works with Spark.
          • Know Kineses Firehose is open ended for producer only. Data is stored in S3, Redshift and OpenSearch Service (formerly Elasticsearch).
          • Kinesis Firehose works in batches with minimum 60secs interval.
        • Understand Kinesis Encryption (hint: use server side encryption or encrypt in producer for data streams)
        • Know difference between KPL vs SDK (hint: PutRecords are synchronously, while KPL supports batching)
        • Kinesis Best Practices (hint: increase performance increasing the shards)
      • Know Amazon OpenSearch Service (formerly Elasticsearch Service) is a search and analytics service which supports indexing, full text search, faceting, vector search, and log analytics.
      • Redshift
        • Understand Redshift in depth
        • Understand Redshift Advance topics like Workload Management, Distribution Style, Sort key
        • Know Redshift Best Practices w.r.t selection of Distribution style, Sort key, COPY command which allows parallelism
        • Know Redshift views to control access to data.
      • Amazon Machine Learning
      • Know Data Pipeline for data transfer (Note: AWS Data Pipeline is in maintenance mode and closed to new customers as of July 25, 2024. Alternatives include AWS Glue, AWS Step Functions, and Amazon MWAA (Managed Workflows for Apache Airflow).)
      • QuickSight
      • Know Glue as the ETL tool (AWS Glue is now at version 5.1 with Apache Spark 3.5.4, Python 3.11, and native integration with Apache Iceberg, Hudi, and Delta Lake.)
    • Security, Identity & Compliance
    • Management & Governance Tools
      • Understand AWS CloudWatch for Logs and Metrics. Also, CloudWatch Events more real time alerts as compared to CloudTrail
    • Storage
    • Compute
      • Know EC2 access to services using IAM Role and Lambda using Execution role.
      • Lambda esp. how to improve performance batching, breaking functions etc.

AWS Certified Big Data – Speciality (BDS-C00) Exam Resources

⚠️ Note: The resources below were relevant for the retired BDS-C00 exam. For current Data Engineer certification preparation, see:

Current Replacement: AWS Certified Data Engineer – Associate (DEA-C01)

The AWS Certified Data Engineer – Associate (DEA-C01) is the current certification that covers data and analytics topics on AWS. It validates skills across four domains:

  • Domain 1: Data Ingestion and Transformation (34%) – Kinesis, MSK, DMS, Glue, EMR, Step Functions
  • Domain 2: Data Store Management (26%) – S3, Redshift, DynamoDB, RDS, Lake Formation, Data Catalog
  • Domain 3: Data Operations and Support (22%) – Pipeline orchestration, monitoring, troubleshooting, MWAA
  • Domain 4: Data Security and Governance (18%) – Encryption, access control, data privacy, Lake Formation permissions

Key differences from BDS-C00:

  • Associate-level (not Specialty) – requires 1-2 years hands-on AWS experience
  • Stronger focus on modern services: AWS Glue, Lake Formation, Step Functions, Amazon MWAA
  • Includes Apache Iceberg, Hudi, and Delta Lake open table formats
  • No longer covers deprecated services (Data Pipeline, Amazon ML classic)
  • Includes Amazon OpenSearch Service (replaced Elasticsearch Service)
  • Covers Amazon SageMaker AI for ML integration in data pipelines

For the full learning path, see AWS Certified Data Engineer – Associate (DEA-C01) Exam Learning Path.

AWS Cloud Migration

AWS Cloud Migration

📋 Updated June 2025: This post has been updated to reflect the current AWS migration framework including the 7 Rs migration strategies (added Relocate), the 3-phase migration process (Assess, Mobilize, Migrate & Modernize), deprecation of AWS Server Migration Service (replaced by AWS Transform MGN), and the launch of AWS Transform – an AI-driven migration and modernization service.

Some of the key drivers to moving to cloud are:

  • Operational Costs – Key components of operational costs are unit price of infrastructure, the ability to match supply and demand, finding a pathway to optionality, employing an elastic cost base, and transparency
  • Workforce Productivity – Getting up and ready in seconds and various service availability
  • Cost Avoidance – Eliminating the need for hardware refresh programs and constant maintenance programs
  • Operational Resilience – Increases resilience and thereby reduces organization’s risk profile
  • Business Agility – React to market conditions more quickly
  • Sustainability – Leverage shared infrastructure and optimized resource utilization to reduce carbon footprint

Cloud Stages of Adoption

Cloud Stages of Adoption

PROJECT

  • In the project phase, execute projects to get familiar with and experience benefits from the cloud.

FOUNDATION

  • After experiencing the benefits of cloud, build the foundation to scale the cloud adoption.
  • This includes creating a landing zone (a pre-configured, secure, multi-account AWS environment), Cloud Center of Excellence (CCoE), operations model, as well as assuring security and compliance readiness.
  • AWS Control Tower helps set up and govern a secure, multi-account AWS environment (landing zone) based on best practices.

MIGRATION

  • Migrate existing applications including mission-critical applications or entire data centers to the cloud as you scale your adoption across a growing portion of the IT portfolio.

REINVENTION

  • Now that the operations are in the cloud, focus on reinvention by taking advantage of the flexibility and capabilities of AWS to transform business by speeding time to market and increasing the attention on innovation.

Migration Process

AWS recommends performing the migration process in three phases: Assess, Mobilize, and Migrate & Modernize.

Migration Process

Phase 1: Assess

  • Determine the right objectives and develop a preliminary business case for a migration.
  • Understand the current environment, application portfolio, interdependencies, and identify what is suitable for migration.
  • Use discovery tools like AWS Transform for automated application discovery, dependency mapping, and migration planning.
  • Build a directional business case by taking objectives into account along with the age and architecture of the existing applications, and their constraints.

Phase 2: Mobilize

  • Create a migration plan and refine the business case built in the Assess phase.
  • Address gaps in organizational readiness identified in the Assess phase.
  • Build the foundational landing zone, establish security guardrails, and set up operational tooling.
  • Perform pilot migrations to test processes, tools, and build team expertise.
  • Define the migration patterns, processes, and tools that will be used at scale.

Phase 3: Migrate & Modernize

  • Execute the migration using the patterns and tools validated during the Mobilize phase.
  • Each application is designed, migrated, and validated according to one of the seven common application strategies (“The 7 R’s”).
  • Focus on speed and scale – implement a migration factory approach for high-volume migrations.
  • Iterate on the foundation, turn off old systems, and modernize applications post-migration.
  • AWS provides migration services including:

⚠️ Deprecated Service Notice

AWS Server Migration Service (SMS) was discontinued on March 31, 2022. AWS recommends AWS Transform MGN (formerly AWS Application Migration Service) as the replacement for lift-and-shift migrations.

AWS Migration Hub is no longer open to new customers as of November 7, 2025. For similar capabilities, use AWS Transform.

Application Migration Strategies – The 7 R’s

Migration strategies depend upon what is in your environment and what is suitable for the portfolio, taking into account the business and technical requirements.

Below are the seven common migration strategies (expanded from the original “5 R’s” that Gartner outlined in 2011 to the current “7 R’s”).

Application Migration Strategies

1. Rehost (“lift and shift”)

  • Moving your application as is to the Cloud without making any changes.
  • Helps to quickly implement the migration and scale to meet a business case.
  • Provides better opportunity to re-architect the applications once they are already running in cloud, with the organization having already developed cloud skills.
  • Rehosting can be automated with tools such as AWS Transform MGN (formerly AWS Application Migration Service), or can be done manually.
  • AWS Transform MGN continuously replicates source servers to AWS, enabling non-disruptive testing and cutover.

2. Replatform (“lift, tinker and shift”)

  • Moving your application to the Cloud with optimizations, without any major changes.
  • Replatform helps achieve some tangible benefit without changing the core architecture of the application. For e.g., using RDS for database, Elastic Beanstalk for applications, or using AWS Graviton processors for cost optimization.
  • Can involve moving to managed services, upgrading OS versions, or migrating to containers without code changes.

3. Repurchase (“drop and shop”)

  • Dropping the application and moving to a completely new solution.
  • More of a Buy in a Build vs Buy model; might be expensive in short term but faster time to market.
  • Move to a different product, typically from a traditional license to a SaaS model (e.g., migrating CRM to Salesforce, or HR system to Workday).

4. Refactor / Re-architect

  • Moving the application to Cloud, with major changes to take advantage of cloud-native features.
  • More of a Build in a Build vs Buy model, and would take time.
  • Driven by a strong business need to add features, scale, or performance with agility and improvement in business continuity that would otherwise be difficult to achieve in the application’s existing environment.
  • May involve moving to microservices, serverless architecture, or event-driven design.

5. Retire

  • Decommission the applications that are no longer needed.
  • Identifying IT assets that are no longer useful and can be turned off will help boost your business case and direct your attention towards maintaining the resources that are widely used.
  • Includes decommissioning zombie applications (avg CPU/memory below 5%) and idle applications (5-20% usage over 90 days).

6. Retain

  • Keep the applications as is in the current environment.
  • Retain portions of the IT portfolio that have tight dependencies, are difficult or not in priority, or are not ready for migration.
  • May include applications with unresolved compliance requirements, recent upgrades, or dependencies on specialized hardware.

7. Relocate (hypervisor-level lift and shift)

  • Transfer infrastructure to the cloud without purchasing new hardware, rewriting applications, or modifying existing operations.
  • Enables moving a large number of servers at a given time from on-premises to a cloud version of the platform.
  • During relocation, the application continues to serve users, minimizing disruption and downtime.
  • Relocate is the quickest way to migrate and operate workloads in the cloud because it does not impact the overall architecture.
  • Example: Moving VMware workloads to AWS using AWS Transform for VMware.

AWS Migration Services and Tools

AWS Transform (Launched May 2025)

  • AI-driven service that uses agentic AI to accelerate and simplify migration and modernization of infrastructure, applications, and code.
  • Automates the full migration lifecycle: discovery, dependency mapping, migration planning, network conversion, and EC2 instance optimization.
  • Brings together 20 years of migration experience with specialized AI agents, human teams, and partner workflows.
  • Capabilities include:
    • AWS Transform for VMware – Automated VMware workload migration
    • AWS Transform for Mainframe – Mainframe modernization with AI agents
    • AWS Transform for .NET – Automated .NET framework modernization
    • AWS Transform for Windows – Full-stack Windows modernization
    • AWS Transform MGN – Rehosting (lift-and-shift) with continuous replication
  • Learn more: AWS Transform

AWS Transform MGN (formerly Application Migration Service)

  • Dedicated rehosting capability that automates the conversion of source servers (physical, virtual, or cloud) into native Amazon EC2 instances.
  • Continuously replicates block-level volumes from source servers to AWS.
  • Enables non-disruptive testing prior to cutover.
  • Supports a wide range of applications without changes to architecture or migrated servers.
  • Learn more: AWS Transform MGN

AWS Database Migration Service (DMS)

  • Supports homogeneous (e.g., Oracle to Oracle) and heterogeneous (e.g., Oracle to Aurora) database migrations.
  • DMS Serverless provides automatic scaling and storage management.
  • DMS Schema Conversion with GenAI accelerates heterogeneous database migrations using AI.
  • Supports continuous data replication for minimal downtime migrations.
  • Learn more: AWS DMS

AWS Migration Acceleration Program (MAP)

  • Comprehensive program based on thousands of enterprise customer migrations.
  • Uses a three-phased framework: Assess, Mobilize, and Migrate & Modernize.
  • Provides migration credits, technical guidance, and best-practice methodologies.
  • Includes support for VMware migrations, AI workloads, and mainframe modernization.
  • Learn more: AWS MAP

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company is planning the migration of several lab environments used for software testing. An assortment of custom tooling is used to manage the test runs for each lab. The labs use immutable infrastructure for the software test runs, and the results are stored in a highly available SQL database cluster. Although completely rewriting the custom tooling is out of scope for the migration project, the company would like to optimize workloads during the migration. Which application migration strategy meets this requirement?
    1. Re-host
    2. Re-platform
    3. Re-factor/re-architect
    4. Retire
  2. A company wants to migrate its on-premises VMware infrastructure to AWS with minimal changes to the applications. The company wants the fastest migration path that does not require purchasing new hardware or modifying existing operations. Which migration strategy should the company use?
    1. Rehost
    2. Replatform
    3. Relocate
    4. Refactor
  3. A company is migrating its data center to AWS. It needs to automatically replicate source servers to AWS and perform non-disruptive testing before cutover. Which AWS service should the company use?
    1. AWS Server Migration Service
    2. AWS Transform MGN
    3. AWS DataSync
    4. AWS Snowball
  4. An organization wants to use AI-powered tools to automate application discovery, dependency mapping, and migration planning for its large-scale migration to AWS. Which service provides these capabilities?
    1. AWS Migration Hub
    2. AWS Application Discovery Service
    3. AWS Transform
    4. AWS Server Migration Service
  5. A company is evaluating its application portfolio for migration to AWS. Several applications have average CPU and memory usage below 5%. What migration strategy is most appropriate for these applications?
    1. Rehost
    2. Retain
    3. Retire
    4. Replatform
  6. A company wants to migrate its Oracle database to Amazon Aurora PostgreSQL to reduce licensing costs and take advantage of cloud-native features. Which migration strategy does this represent?
    1. Rehost
    2. Replatform
    3. Refactor/Re-architect
    4. Repurchase

References

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Learning Path

AWS Certified DevOps Engineer - Professional (DOP-C01) Certificate

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Learning Path

⚠️ EXAM RETIRED – DOP-C01 No Longer Available

AWS Certified DevOps Engineer – Professional (DOP-C01) was retired on March 6, 2023.

This content is maintained for historical reference only. The DOP-C01 exam can no longer be taken.

Current Exam Version:

Key Changes in DOP-C02:

  • Updated domain structure with 6 domains (previously 5)
  • Greater emphasis on CI/CD automation, IaC, and container/serverless deployments
  • New coverage of AWS CDK, Step Functions, EventBridge, and modern observability
  • 75 questions in 180 minutes (previously 170 minutes)

AWS Certified DevOps Engineer – Professional (DOP-C01) exam was the upgraded pattern of the DevOps Engineer – Professional exam which was released in 2018. AWS replaced it with DOP-C02 on March 7, 2023.

AWS Certified DevOps Engineer – Professional (DOP-C01) exam validated

  • Implement and manage continuous delivery systems and methodologies on AWS
  • Implement and automate security controls, governance processes, and compliance validation
  • Define and deploy monitoring, metrics, and logging systems on AWS
  • Implement systems that are highly available, scalable, and self-healing on the AWS platform
  • Design, manage, and maintain tools to automate operational processes

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Summary

AWS Certified DevOps Engineer – Professional – Current Exam Resources (DOP-C02)

Note: The resources below have been updated for the current DOP-C02 exam. For the complete DOP-C02 learning path, visit the DOP-C02 Exam Learning Path.

DOP-C02 Exam Domain Overview

The current DOP-C02 exam has 6 domains (compared to 5 in DOP-C01):

  • Domain 1: SDLC Automation (22%) – CI/CD pipelines, testing, deployment strategies
  • Domain 2: Configuration Management and IaC (17%) – CloudFormation, CDK, Systems Manager
  • Domain 3: Resilient Cloud Solutions (15%) – HA, scalability, disaster recovery
  • Domain 4: Monitoring and Logging (15%) – CloudWatch, X-Ray, observability
  • Domain 5: Incident and Event Response (14%) – EventBridge, automation, remediation
  • Domain 6: Security and Compliance (17%) – IAM, secrets management, compliance automation

For the complete DOP-C02 preparation guide, refer to the AWS Certified DevOps Engineer – Professional (DOP-C02) Exam Learning Path.