3.2 CI/CD with CodePipeline, CodeBuild, CodeDeploy

The four code services

AWS splits CI/CD into focused services. The exam repeatedly tests which one owns a given file or job, so memorize the ownership map.

CodePipeline is the conductor. It models a release as ordered stages (Source, Build, Deploy, plus optional Test or Approval), and each stage holds one or more actions that can run in series or parallel. Stages pass an artifact through a pipeline artifact bucket in S3; the source action zips the repo, and each later action consumes the previous output artifact and emits its own. CodePipeline is triggered by an EventBridge rule on a source change, not by polling, in the default modern setup.

A pipeline can use providers beyond the AWS-native code services — GitHub via a CodeStar/CodeConnections connection as a source, Jenkins as a build provider, and so on — but the Source/Build/Deploy stage model stays the same. Within a stage, actions in the same run order execute in parallel, which is how teams run linting and unit tests simultaneously.

buildspec.yml (CodeBuild)

buildspec.yml lives at the repo root by default and drives CodeBuild. It defines ordered phases plus an artifacts and optional cache/reports block:

• install — set up runtime versions and tools
• pre_build — log in to ECR, fetch dependencies, run linters
• build — compile and run unit tests
• post_build — package, tag, and push images

The artifacts block names the files CodeBuild outputs for the next stage. Environment variables can be plaintext, or pulled securely from Systems Manager Parameter Store (parameter-store) or Secrets Manager (secrets-manager). To build Docker images, the CodeBuild project must run in privileged mode.

appspec.yml (CodeDeploy)

appspec.yml drives CodeDeploy. It declares what to deploy and the lifecycle event hooks that run validation scripts. The hook names differ by compute platform:

A failing hook returns a non-zero exit code, which stops the deployment and can trigger an automatic rollback to the last known-good revision.

A subtle but tested detail: for EC2/on-prem deployments, the CodeDeploy agent must be installed and running on each instance, and the appspec files section maps source files to destination paths on disk. For Lambda and ECS, there is no agent — CodeDeploy manipulates an alias or a task set instead, which is why their appspec hooks are limited to the *AllowTraffic events. Mixing up EC2 hooks with Lambda hooks is a frequent distractor.

CodeArtifact and IaC integration

CodeArtifact is a managed package repository for npm, pip, Maven, NuGet, and similar ecosystems. CodeBuild pulls dependencies from it for consistent, auditable, IAM-controlled builds, and a repository can have an upstream that proxies a public registry (npmjs, PyPI) so external packages are cached and version-pinned. Do not confuse it with Amazon ECR, which stores container images, or CodeCommit, which stores Git source.

Pipelines integrate tightly with CloudFormation and SAM: a CloudFormation deploy action can create or update a stack — often by first creating a change set, then a separate manual approval, then executing the change set, so production infrastructure changes are reviewed. This makes the pipeline itself infrastructure-aware.

A manual approval action pauses the pipeline indefinitely and (optionally) sends an SNS notification so a person can gate promotion to production. The pipeline stays paused until someone approves or rejects in the console, and rejection stops the release.

Exam trap to lock in: the build file is buildspec.yml (CodeBuild) and the deploy/traffic-hook file is appspec.yml (CodeDeploy). There is no pipeline.yml build file — that option is always a distractor.

Secrets, caching, and local builds

Never bake credentials into buildspec.yml. Pull them at build time from Secrets Manager or SSM Parameter Store so they are masked in logs. CodeBuild can also persist a cache (in S3 or a local Docker layer cache) to speed dependency installs, and you can run a build locally with the CodeBuild local agent for debugging. Build artifacts and reports (test results, code coverage) land in S3 and the CodeBuild Reports console respectively.

The full AWS-native flow the exam expects you to assemble: CodeCommit (source) triggers CodePipeline, which invokes CodeBuild (reads buildspec.yml, pulls packages from CodeArtifact, pushes an image to ECR), then a manual approval, then CodeDeploy (reads appspec.yml) releases to EC2, Lambda, or ECS using a canary or blue/green strategy.

Service-discriminator cheat sheet

When a question names a file or job, snap to the owning service:

Keep these distinct from EventBridge (the change-detection trigger) and S3 (the artifact store). Most CI/CD questions on the DVA-C02 are really which service owns this file or responsibility, so this mapping alone clears a large share of them.