Commonly Confused Services on DOP-C02

Deciding signal

CodeBuild compiles source code, runs unit tests, and produces build artifacts — it is the CI build stage. CodeDeploy takes a deployable artifact (from S3 or an ECR image) and deploys it to EC2 instances, ECS services, Lambda functions, or on-premises servers using a configurable strategy. CodePipeline orchestrates the stages: source → build → test → deploy → approval. A question asking "which service executes the rolling deployment to EC2" points to CodeDeploy. A question asking "which service triggers the build when a commit is pushed and then deploys if tests pass" points to CodePipeline as the orchestrator. DOP-C02 specifically tests whether candidates can distinguish the deployment executor (CodeDeploy) from the pipeline orchestrator (CodePipeline).

Deciding signal

CloudFormation is the foundation — it accepts declarative YAML or JSON templates and provisions resources. CDK (Cloud Development Kit) lets you define infrastructure in TypeScript, Python, Java, or C#; it synthesizes to CloudFormation templates. SAM (Serverless Application Model) is a CloudFormation extension with shorthand syntax for Lambda functions, API Gateway, DynamoDB, and Step Functions — it simplifies serverless resource definitions and includes the SAM CLI for local testing. The signal is the abstraction level: raw YAML/JSON (CloudFormation), code in a general-purpose language (CDK), or shorthand for serverless resources (SAM). DOP-C02 tests which tool is appropriate for a given developer workflow.

Deciding signal

In-Place deploys to existing instances — stops the current app, deploys the new version, restarts. There is downtime. Blue/Green provisions a new set of instances with the new version, validates them, then shifts traffic from old (blue) to new (green). Old instances remain for rollback. Canary shifts a small percentage of traffic (e.g., 10%) to the new version, waits, then shifts the rest if the first segment succeeds. Linear shifts traffic in equal increments on a fixed schedule (e.g., 10% every 5 minutes). Canary is two steps; Linear is many equal steps. When the scenario describes validating with a small subset of traffic first before full cutover, Canary. When it describes a gradual equal-increment shift, Linear.

Deciding signal

Elastic Beanstalk is a PaaS: you upload application code (ZIP or Docker) and Beanstalk provisions EC2, ELB, Auto Scaling, and CloudWatch automatically. It manages the infrastructure lifecycle. CodeDeploy is a deployment service that takes a pre-built artifact and deploys it to target compute using a defined strategy — it requires the infrastructure to already exist. OpsWorks manages Chef or Puppet configuration management: you define layers and recipes, and OpsWorks handles software configuration on instances. The signal is the abstraction level: code upload with infrastructure provisioning (Beanstalk), deployment to existing infrastructure with strategy control (CodeDeploy), or Chef/Puppet configuration management (OpsWorks).

Deciding signal

Parameter Store stores strings, string lists, and encrypted secure strings via KMS. Standard parameters are free; there is no rotation mechanism built in. Secrets Manager stores secrets with a built-in rotation engine: it natively integrates with RDS, Redshift, and DocumentDB to rotate passwords on a defined schedule, and supports Lambda-based rotation for any other service. It charges per secret per month. On DOP-C02, Secrets Manager is specifically the answer when the scenario mentions automatic credential rotation or when the secret is a database password that must be rotated without application changes. Parameter Store is the answer for non-rotating configuration, environment variables, or per-parameter storage at scale where cost matters.

Deciding signal

CloudWatch collects metrics, ingests logs, triggers alarms, and drives dashboards — it answers "how is this resource performing?" X-Ray traces requests through distributed systems: it shows which service called which, how long each segment took, and where errors occurred across Lambda, API Gateway, ECS, and other instrumented services. It answers "where is this request failing or slowing down across my microservices?" CloudTrail records API calls — who made them, when, from where — for account-level audit and governance. When a scenario describes debugging latency in a Lambda-to-DynamoDB request chain, X-Ray. When it describes alerting on error rate, CloudWatch. When it describes who deleted a deployment configuration, CloudTrail.

Deciding signal

S3 is generic object storage — CodePipeline and CodeBuild use it to pass build artifacts between pipeline stages. It stores ZIP files, binaries, and other build outputs. ECR is a fully managed container image registry — it stores, versions, and distributes Docker and OCI images. It is the specific answer when the build output is a container image. CodeArtifact is a managed artifact repository for software packages — Maven, npm, pip, NuGet, and others. It proxies public registries, caches packages, and stores your internal private packages. When the scenario involves sharing npm or Maven packages internally, CodeArtifact. Container images, ECR. Generic pipeline artifacts between stages, S3.

Deciding signal

CloudFormation Stacks deploy resources in a single AWS account and region. StackSets extend this to deploy the same template across multiple accounts and regions simultaneously — managed centrally from an administrator account. StackSets require an Organizations setup for service-managed mode or explicit delegated admin configuration for self-managed mode. When the scenario describes deploying a resource configuration consistently across all accounts in an organization (e.g., a CloudTrail configuration, a security baseline), StackSets. When the scenario involves managing infrastructure within a single account, Stacks.

Deciding signal

Lambda runs custom code — it is the right answer when the automation requires logic beyond predefined runbooks. Systems Manager Automation runs pre-built or custom runbooks (SSM Documents) against AWS resources — restarting instances, patching AMIs, creating snapshots, taking resource compliance actions. It integrates with Maintenance Windows and provides approval steps and rate controls. EventBridge routes events between services based on rules — it is the event bus, not the execution engine. The typical pattern is EventBridge detects an event and triggers an SSM Automation runbook or Lambda function. When the scenario describes executing an operational action on an EC2 instance or resource using a predefined runbook, SSM Automation. When it describes custom logic, Lambda.

Deciding signal

Organizations is the structural foundation: account grouping into OUs and service control policies (SCPs) that restrict what any account can do. It does not provision or baseline accounts. Control Tower automates the creation of a well-governed multi-account landing zone — it provisions accounts with pre-configured security baselines, logging, and guardrails using Organizations under the hood. Config evaluates individual resource configurations against rules and tracks configuration history. DOP-C02 tests whether candidates can separate account-level permission guardrails (Organizations SCPs), automated account provisioning and baseline governance (Control Tower), and continuous resource-level compliance evaluation (Config). These three often work together but each answers a different governance question.