Cloud Learning Roadmaps

Everything in DevOps runs on Linux and git. Get fluent in bash scripting, cron jobs, file permissions, process management, and git branching strategies before anything else.

Understand the core AWS services you'll be automating: EC2, S3, IAM, VPC, Lambda. A DevOps engineer who doesn't understand the underlying services will struggle to automate them well.

Define your entire AWS environment as code. Learn CloudFormation templates for the fundamentals, then move to the CDK for a TypeScript-based developer experience. Version control your infrastructure like application code.

Terraform is the most widely-used IaC tool in the industry. Learn HCL syntax, how to manage state, structure modules, and work across multiple AWS environments safely.

Build a pipeline that runs tests on pull requests and deploys to AWS on merge using GitHub Actions with OIDC authentication — no long-lived access keys required.

Package applications into containers that run identically in development and production. Learn Dockerfiles, multi-stage builds, image layers, and how to push images to Amazon ECR.

Run your Docker container in AWS without managing servers. Build a task definition, create an ECS service, put it behind an Application Load Balancer, and wire up auto-scaling.

Build observability into your systems from the start. Emit structured JSON logs, create custom metrics, trace requests across services with X-Ray, and build dashboards your on-call team can actually use.

The DOP-C02 validates everything in this roadmap. It's one of the harder AWS certifications — allocate 4–6 weeks of focused study and practice exams after completing the hands-on phases.

Go beyond "just use Lambda". Understand EC2 instance families, Savings Plans, Spot interruptions, ECS vs EKS, and when each compute option makes sense at scale.

The database choice is one of the most consequential architectural decisions. Deeply understand when to use RDS, Aurora, DynamoDB, ElastiCache, Neptune, Redshift, or Timestream — and how data access patterns drive the decision.

Understand how traffic flows from a browser to your application and back. Learn VPC design, Transit Gateway, Direct Connect, Route 53 routing policies, and CloudFront caching strategies.

Most modern AWS workloads are event-driven. Learn how to chain Lambda functions, decouple services with SQS and SNS, orchestrate workflows with Step Functions, and build fan-out patterns with EventBridge.

Understand the real operational cost of microservices before recommending them. Learn service decomposition, API contracts, service discovery with Cloud Map, and when a well-structured monolith is the right answer.

Every architecture review will ask about HA and DR. Understand RTO vs RPO, active-active vs active-passive, multi-AZ vs multi-region, and how to design and test for failure at every layer.

Cloud cost overruns kill products. Learn the AWS pricing model in depth, understand Reserved Instances vs Savings Plans, right-size your compute, implement tagging strategies, and use AWS Cost Explorer and Trusted Advisor.

Design security controls into the architecture rather than bolting them on afterward. Cover IAM permission boundaries, SCPs for multi-account governance, encryption strategies, and network isolation patterns.

Start with the Solutions Architect Associate (SAA-C03) to validate your foundation, then aim for the Professional (SAP-C02) which tests your ability to evaluate complex trade-offs across the full AWS service catalogue.

Python and SQL are the primary tools of a data engineer. Get comfortable with pandas, boto3 for AWS, data formats (JSON, Parquet, CSV), and the SQL window functions and aggregations you'll use daily.

Almost every data pipeline on AWS runs through S3. Learn bucket design, storage classes, lifecycle policies, encryption, and the IAM permissions model you'll need to lock down data access properly.

A well-structured S3 data lake makes downstream querying fast and cheap. Learn how to design partition strategies, choose file formats, set up Lake Formation access controls, and manage data quality at ingestion.

Build a pipeline triggered by S3 events: raw files land in a bucket, Lambda transforms them, and clean records are written back to S3 in Parquet format and loaded into DynamoDB.

Glue automates schema discovery and runs Spark-based ETL jobs at scale without managing clusters. Learn crawlers, the Glue Data Catalog, job bookmarks for incremental processing, and when Glue is the right tool vs Lambda.

Athena lets you query S3 directly with SQL — no servers, no loading. Redshift is a columnar warehouse for complex analytics at petabyte scale. Know when to use each and how to keep costs under control.

Build a streaming data pipeline: producers send events to Kinesis Data Streams, Lambda consumers process them in real time, Kinesis Firehose buffers and delivers to S3, and Athena queries the results.

Orchestrate multi-step data workflows with Step Functions state machines. Handle retries, error branches, parallel processing, and long-running jobs without a dedicated orchestration server.

The Data Analytics Specialty covers collection, storage, processing, and visualisation across the full AWS data stack. Completing phases 1–3 hands-on puts you in a strong position — plan for 4–6 weeks of dedicated study.

IAM is the foundation of every AWS security control. Go beyond basic policies — master permission boundaries, policy evaluation logic, role chaining, cross-account access, and IAM Access Analyzer.

Enterprise AWS environments run across dozens of accounts. Learn to use AWS Organizations with Service Control Policies to enforce guardrails at scale, and Control Tower to set up a compliant multi-account landing zone.

Understand how external identities — corporate SSO, Google, social logins — are federated into AWS using Cognito, STS AssumeRoleWithSAML, and OIDC. A critical pattern for enterprise applications.

Network-level isolation is your first line of defence. Learn to design private subnet architectures, use VPC endpoints to keep traffic off the public internet, configure NACLs and security groups correctly, and analyse traffic with VPC Flow Logs.

Protect your applications from web exploits and DDoS attacks. Learn to write WAF rules targeting the OWASP Top 10, set up rate-based rules, and understand when Shield Standard vs Advanced applies.

Enable continuous threat intelligence with GuardDuty, centralise audit logging with CloudTrail across all accounts, and aggregate findings from all security services into Security Hub for a single compliance view.

Build event-driven security automation: GuardDuty findings trigger EventBridge rules, Lambda functions evaluate and remediate (e.g., isolate an instance, revoke credentials), and SNS sends alerts to your security team.

Eliminate hardcoded credentials and ensure data at rest is always encrypted. Learn KMS key policies and grants, Secrets Manager automatic rotation, and Macie for discovering sensitive data in S3.

The Security Specialty is one of the most respected AWS certifications. It validates deep knowledge of identity, infrastructure, data, logging, and incident response across the full AWS stack. The hands-on phases in this roadmap give you a strong practical foundation — plan 4–6 weeks of structured study.