Here are 100 AWS interview questions and answers, covering fundamental concepts, compute, storage, networking, security, databases, IAM, monitoring, serverless, cost optimization, and scenario‑based troubleshooting. Each question is in bold, followed by a detailed answer. No dividing lines.
What is AWS and what are its key benefits?
Answer: AWS (Amazon Web Services) is a cloud computing platform offering over 200 services. Key benefits: pay‑as‑you‑go pricing (no upfront costs), global infrastructure (regions and availability zones), scalability (auto‑scale resources), reliability (high availability and redundancy), security (compliance certifications, encryption), and agility (rapid deployment of resources).
What is the difference between a region and an availability zone?
Answer: A region is a geographic area (e.g., us‑east‑1 – North Virginia) containing multiple isolated locations called availability zones (AZs). Each AZ is one or more physical data centers with independent power, cooling, and networking. AZs within a region are connected via low‑latency links. Multi‑AZ deployments provide high availability.
What are edge locations and how do they relate to CloudFront?
Answer: Edge locations are globally distributed points where CloudFront caches content for low‑latency delivery. They are separate from regions and AZs. CloudFront uses edge locations to serve cached objects to users, reducing load on origin servers.
What is the AWS Shared Responsibility Model?
Answer: AWS is responsible for security OF the cloud (physical infrastructure, hardware, software, networking). The customer is responsible for security IN the cloud (data encryption, OS patches on EC2, IAM policies, network firewalls, application code). This model varies by service (e.g., RDS, AWS manages OS, but customer manages data and access).
What is IAM and what are its core components?
Answer: IAM (Identity and Access Management) controls access to AWS resources. Core components: Users (individuals with long‑term credentials), Groups (collections of users), Roles (assumed by users or services for temporary permissions), Policies (JSON documents defining permissions), and Identity Providers (federated logins).
What is the difference between an IAM user and an IAM role?
Answer: An IAM user has permanent credentials (username/password or access keys) associated with a specific person or application. An IAM role does not have permanent credentials; instead, it is assumed temporarily by trusted entities (users, services, or AWS accounts) to gain permissions. Roles are recommended for EC2 instances or cross‑account access because credentials rotate automatically.
What are the key principles of least privilege in IAM?
Answer: Grant only the minimum permissions required to perform a task. Start with no permissions, then add only necessary actions. Use IAM policies with conditions (e.g., IP address, MFA). Rotate credentials regularly. Avoid using root account for daily tasks.
What is Amazon EC2 and what are the main instance families?
Answer: Elastic Compute Cloud (EC2) provides resizable virtual servers. Instance families: General purpose (t3, t4g – balanced), Compute optimized (c5, c6g – high CPU), Memory optimized (r5, x1 – large RAM), Storage optimized (i3, d2 – high local disk I/O), Accelerated computing (p3, g4 – GPU/FPGA).
What are EC2 purchase options and when would you use each?
Answer: On‑Demand – pay by the hour/second, no commitment, ideal for unpredictable workloads. Reserved Instances – 1‑3 year commitment, up to 72% discount, for steady‑state production. Savings Plans – flexible across instance families, similar discounts. Spot Instances – up to 90% discount, but can be reclaimed, for fault‑tolerant or batch jobs. Dedicated Hosts – physical server for compliance or licensing.
What is an Amazon Machine Image (AMI) and how do you create one?
Answer: An AMI is a template containing the operating system, application software, and launch configuration for EC2. Create from an existing instance, from snapshots, or from scratch. AMIs are region‑specific but can be copied to other regions.
What is a security group and how is it different from a network ACL (NACL)?
Answer: Security groups are stateful virtual firewalls at the instance level (ENI). They allow only rules you specify; default deny all inbound, allow all outbound. NACLs are stateless firewall at the subnet level; they support both allow and deny rules, evaluated in order. Security groups require rules for return traffic (stateful), NACLs require explicit return rules (stateless).
What is an Elastic IP address (EIP) and when would you use it?
Answer: An Elastic IP is a static public IPv4 address that you can allocate to your AWS account and remap to different instances. Use it when you need a fixed IP for external access (e.g., for whitelisting, DNS A records). You are charged for idle EIPs (not associated with a running instance).
What is Amazon EBS and what are the volume types?
Answer: Elastic Block Store (EBS) provides persistent block storage for EC2. Types: General Purpose SSD (gp3, gp2 – balanced for most workloads), Provisioned IOPS (io1, io2 – high performance for databases), Throughput Optimized HDD (st1 – big data, log processing), Cold HDD (sc1 – infrequent access), and Magnetic (standard – legacy). Auto‑EBS snapshots can be taken for backup.
What is the difference between Amazon S3 and EBS?
Answer: S3 is object storage (access over HTTP, not mountable as a drive, suitable for static content, backups, logs). EBS is block storage (mountable to one EC2 instance, low‑latency, used for OS drives, databases). S3 is internet‑accessible, EBS is within VPC. S3 has higher latency, near‑infinite scalability, and cheaper storage (but per‑request costs).
What are the storage classes of Amazon S3?
Answer: S3 Standard (frequent access, high durability), Intelligent‑Tiering (automatic tiering between frequent and infrequent), Standard‑IA (infrequent access, retrieval fee), One Zone‑IA (lower cost, no multi‑AZ), Glacier Instant Retrieval (millisecond retrieval), Glacier Flexible Retrieval (minutes to hours), Glacier Deep Archive (12 hours retrieval, cheapest), Outposts (on‑prem). Use lifecycle policies to transition older objects.
How does S3 achieve 99.999999999% durability (11 9’s)?
Answer: S3 automatically replicates data across multiple availability zones within a region (or across devices in a single AZ for One Zone classes). It checksums data and automatically repairs corrupted or lost replicas. Erasure coding spreads data across many devices.
What is S3 versioning and how does it work?
Answer: S3 versioning keeps multiple versions of an object, allowing you to recover from accidental deletion or overwrite. Versioning is enabled at bucket level. Each version has a unique ID. Deleting an object adds a delete marker (but older versions remain). Pay for all stored versions.
What is an S3 lifecycle policy?
Answer: A lifecycle policy automatically transitions objects between storage classes or deletes them after a specified age. Example: move logs to Standard‑IA after 30 days, to Glacier after 90 days, delete after 365 days. Reduces costs without manual intervention.
What is CloudFront and what are its benefits?
Answer: CloudFront is a global content delivery network (CDN) that caches content at edge locations. Benefits: low latency, high transfer speeds, DDoS protection (integrated with AWS Shield), SSL/TLS termination, custom domain names, caching of dynamic and static content, geographic restriction, and Lambda@Edge for custom logic.
What is an origin in CloudFront?
Answer: An origin is the source of content that CloudFront caches (e.g., S3 bucket, EC2 instance, Application Load Balancer, or even an external HTTP server). CloudFront fetches from the origin when cache misses or expires.
What is AWS Lambda and what are its use cases?
Answer: Lambda is a serverless compute service that runs code in response to events without provisioning servers. Use cases: real‑time file processing (S3 triggers), API backends (API Gateway), scheduled tasks (CloudWatch Events), data transformation (Kinesis), and automating infrastructure responses.
What are Lambda layers?
Answer: Lambda layers are ZIP archives that contain libraries, custom runtimes, or dependencies. They allow code to be shared across multiple functions, reducing deployment package size and making updates easier.
What is Amazon API Gateway?
Answer: API Gateway is a fully managed service for creating, deploying, and managing REST, HTTP, and WebSocket APIs. It handles authentication (IAM, Cognito, API keys), throttling, request transformation, caching, and can directly invoke Lambda, EC2, or other endpoints.
What is Amazon RDS and what database engines does it support?
Answer: Relational Database Service (RDS) provides managed relational databases. Supported engines: Amazon Aurora (MySQL/PostgreSQL compatible), MySQL, PostgreSQL, MariaDB, Oracle, SQL Server. Features: automated backups, read replicas, multi‑AZ failover, scaling, and patching.
What is the difference between Amazon RDS read replicas and multi‑AZ deployments?
Answer: Read replicas are for offloading read traffic (scaling reads) and can be promoted to primary. They are asynchronous replication, and can be in different regions. Multi‑AZ is for high availability: synchronous replication to a standby instance in a different AZ; automatic failover; no direct reads from standby. A single RDS can have both.
What is Amazon DynamoDB and when would you use it?
Answer: DynamoDB is a fully managed NoSQL key‑value and document database, with single‑digit millisecond latency at any scale. Use for high‑throughput, low‑latency workloads (gaming, IoT, e‑commerce carts, session storage). It supports on‑demand or provisioned capacity, and has features like DynamoDB Streams, global tables, and transactions.
What are DynamoDB primary key types?
Answer: Partition key (simple primary key) – hash of one attribute, determines which partition stores the item. Partition key + sort key (composite primary key) – items with same partition key are stored together, sorted by sort key. Composite keys enable rich query patterns.
What is DynamoDB auto‑scaling?
Answer: Auto‑scaling automatically adjusts provisioned read and write capacity based on actual traffic (using CloudWatch alarms). It prevents throttling during spikes and reduces costs during lulls. On‑demand mode is an alternative that scales automatically without capacity planning.
What is Amazon VPC and what are its core components?
Answer: Virtual Private Cloud (VPC) is a logically isolated network in AWS. Core components: subnets (public/private), route tables, internet gateway (IGW) for public internet, NAT gateway for private instances outbound internet, security groups, network ACLs, VPC peering, VPN connections, and VPC endpoints.
What is a subnet? How do public and private subnets differ?
Answer: A subnet is a range of IP addresses within a VPC (CIDR block). Public subnets have a route to an Internet Gateway (IGW) and usually have auto‑assigned public IPs. Private subnets have no route to IGW; they route through a NAT gateway to access internet outbound but are not reachable from internet.
What is an Internet Gateway and a NAT Gateway?
Answer: Internet Gateway (IGW) is a horizontally scaled VPC component that allows communication between VPC and the internet. NAT Gateway (managed) or NAT Instance (self‑managed) allows instances in private subnets to initiate outbound internet traffic (e.g., downloads, patches) while blocking inbound connections from internet.
What is a VPC peering connection?
Answer: VPC peering connects two VPCs (same or different AWS accounts) using private IPv4 or IPv6 traffic. No gateways, no transitive peering (if A peers B and B peers C, A cannot reach C). Traffic stays on AWS backbone. You cannot peer overlapping CIDR blocks.
What is an AWS Transit Gateway?
Answer: Transit Gateway is a hub that connects multiple VPCs, on‑premises networks, and VPN connections. It supports transitive routing (unlike VPC peering), centralizes management, and scales to thousands of connections.
What is an AWS VPN?
Answer: AWS VPN can be a Site‑to‑Site VPN (IPsec) connecting on‑premises network to AWS via a virtual private gateway; or a Client VPN (OpenVPN) for remote users. Used for hybrid cloud connectivity.
What are AWS WAF and AWS Shield?
Answer: AWS WAF (Web Application Firewall) protects web applications from common exploits (SQL injection, XSS, etc.) using rules on HTTP(S) requests. AWS Shield is a managed DDoS protection service – Shield Standard is free, Shield Advanced provides enhanced detection and mitigation, cost protection, and 24/7 DDoS response.
What is AWS CloudTrail?
Answer: CloudTrail records API activity across your AWS account (who did what, from which IP, when). It logs management events (e.g., EC2, IAM) and optionally data events (e.g., S3 object access, Lambda invocations). CloudTrail logs are stored in S3. Essential for auditing, security analysis, and troubleshooting.
What is Amazon CloudWatch?
Answer: CloudWatch monitors AWS resources and applications. It collects metrics (e.g., CPU utilization, S3 bucket size), logs, and alarms. Can trigger auto‑scaling, send notifications (SNS), and supports custom metrics. Also includes Container Insights, Lambda Insights, and CloudWatch Logs for log aggregation.
What is an AWS CloudWatch Alarm?
Answer: An alarm watches a single metric over a specified period and performs one or more actions based on the threshold (e.g., send SNS notification, execute Auto Scaling policy). States: OK, ALARM, INSUFFICIENT_DATA.
What is AWS Config?
Answer: AWS Config tracks and evaluates resource configurations against desired rules (e.g., S3 bucket public read disabled). It records configuration history, provides compliance status, and can automate remediation. Helps with governance and change management.
What is the difference between CloudTrail and CloudWatch?
Answer: CloudTrail logs API activity (who did what, when) for governance and forensic. CloudWatch monitors operational metrics (performance) and aggregates logs from resources. CloudTrail is about “who made a change”, CloudWatch is about “how is the system performing”.
What are Consolidated Billing and AWS Organizations?
Answer: AWS Organizations lets you centrally manage multiple AWS accounts. Consolidated billing aggregates costs across accounts, providing volume pricing discounts. Organizations also enable Service Control Policies (SCPs) to apply permissions guardrails. You can also create organizational units (OUs) for hierarchical management.
What is an IAM Policy and what does it consist of?
Answer: An IAM policy is a JSON document that defines permissions. It consists of: Version (policy language version), Statement(s). Each statement has: Sid (optional identifier), Effect (Allow or Deny), Action (list of API calls), Resource (ARNs), Condition (optional – when to apply).
What is a resource‑based policy?
Answer: Unlike identity‑based policies (attached to IAM user/role), a resource‑based policy attaches directly to an AWS resource (e.g., S3 bucket, SNS topic, Lambda). It defines who can access that resource. Cross‑account access often uses resource‑based policies.
What is an AWS IAM role and how is it assumed?
Answer: An IAM role is an identity with permissions that can be assumed temporarily by users, applications, or AWS services. Assumption methods: aws sts assume-role via CLI, Role for EC2 (instance profile), or federation. Roles provide temporary credentials that rotate automatically.
What is an EC2 instance metadata?
Answer: Instance metadata is data about the instance (instance ID, AMI ID, region, security groups, IAM role credentials). Access from within the instance at http://169.254.169.254/latest/meta-data/. Use for configuration, retrieving temporary IAM role credentials, and scripts.
What is user data in EC2?
Answer: User data is script (bash, cloud‑init) that runs when an EC2 instance launches. Used for bootstrapping: install packages, configure services, download code. It is only executed during first boot (by default). Up to 16KB.
What is an Auto Scaling group (ASG)?
Answer: ASG automatically adjusts the number of EC2 instances based on scaling policies (e.g., target tracking for CPU). It uses launch templates or configurations. Features: health checks, automatic replacement of unhealthy instances, and integration with load balancers.
What is an EC2 launch template compared to launch configuration?
Answer: Launch templates are newer, versioned, and support multiple versions, parameter reuse, and ease of sharing. Launch configurations are legacy, immutable (cannot edit), and lack versioning. Use launch templates for new work.
What is an Elastic Load Balancer (ELB) and its types?
Answer: ELB distributes incoming traffic across multiple targets. Types: Application Load Balancer (ALB – L7, HTTP/HTTPS, path‑based routing, host‑based routing), Network Load Balancer (NLB – L4, ultra‑low latency, static IP), Gateway Load Balancer (GWLB – for virtual appliances), Classic Load Balancer (legacy).
What is a Target Group in ALB?
Answer: A target group is a logical grouping of targets (EC2 instances, Lambdas, IP addresses) that an ALB routes requests to. It defines health checks, routing algorithm (round‑robin, least outstanding requests), and stickiness. ALB listener rules forward requests to target groups.
What is an S3 presigned URL?
Answer: A presigned URL grants temporary access to a private S3 object. The URL includes an expiration time and the requester’s signature. Use for secure temporary downloads/uploads without making the object public or requiring AWS credentials.
What is an S3 bucket policy?
Answer: A bucket policy is a resource‑based IAM policy attached to an S3 bucket. It can grant or deny permissions to the bucket and its objects. Often used to grant public read access, cross‑account access, or enforce encryption conditions.
What is S3 Transfer Acceleration?
Answer: S3 Transfer Acceleration uses CloudFront edge locations to speed up uploads over long distances. Data is uploaded to an edge location, then transferred to S3 via optimized network paths. Best for large files and cross‑continent uploads.
What is EBS snapshot and how do you optimize backup costs?
Answer: An EBS snapshot is an incremental backup of an EBS volume. Only changed blocks are saved. To optimize costs, use lifecycle policies to delete old snapshots, and consider using EBS Snapshots Archive (cheaper but retrieval takes hours).
What is AWS Storage Gateway?
Answer: Storage Gateway is a hybrid cloud storage service that connects on‑premises environments to AWS cloud storage. Types: File Gateway (NFS/SMB to S3), Volume Gateway (iSCSI – cached and stored volumes), Tape Gateway (virtual tapes for Glacier), and Amazon FSx File Gateway.
What is AWS Direct Connect?
Answer: Direct Connect is a dedicated private network connection from on‑premises to AWS. It reduces bandwidth costs and provides consistent, low‑latency network (versus internet VPN). Supports private VIF to VPC or public VIF to cloud services. Bypasses the public internet.
What is Amazon Route 53?
Answer: Route 53 is a DNS service (Domain Name System). Features: domain registration, DNS resolution (A, CNAME, MX, etc.), routing policies (simple, weighted, latency, geolocation, failover), health checks, and traffic flow. Integrates with ALB, CloudFront, and S3.
What are the routing policies in Route 53?
Answer: Simple – single resource record. Weighted – distribute traffic by weight (e.g., 70% to one region). Latency – route to lowest latency region. Geolocation – route based on user’s continent/country. Failover – active‑passive primary/secondary. Multivalue answer – up to 8 healthy IPs for basic load balancing.
What is AWS Certificate Manager (ACM)?
Answer: ACM provides free public SSL/TLS certificates for use with AWS services (CloudFront, ALB, API Gateway). ACM automates renewal and deployment. ACM certificates cannot be exported (except for some private PKI). For HTTPS with custom domains.
What is AWS KMS?
Answer: Key Management Service (KMS) lets you create and manage encryption keys. It integrates with many AWS services (S3, EBS, RDS, Lambda). Supports symmetric and asymmetric keys, automatic key rotation (yearly), and fine‑grained access via IAM.
What is an AWS KMS key rotation?
Answer: For customer managed keys, KMS can automatically rotate the backing key material every year (retaining old key material to decrypt existing data). For AWS managed keys (aws/*), rotation is automatic. Manual rotation requires creating new keys and re‑encrypting data.
What is AWS CloudFormation?
Answer: CloudFormation is Infrastructure as Code (IaC) service. You write templates (YAML or JSON) to describe AWS resources; CloudFormation provisions them in stacks. Supports drift detection, change sets, and rollback. Alternative: Terraform.
What is an AWS CloudFormation stack and stack set?
Answer: A stack is a single unit of resources created from a template. A stack set allows you to deploy the same stack across multiple accounts and regions at once.
What is AWS Elastic Beanstalk?
Answer: Elastic Beanstalk is a PaaS (Platform as a Service) that automates deployment and scaling of web applications. You upload code (Java, .NET, Node, Python, etc.) and it handles capacity provisioning, load balancing, scaling, and application health monitoring. Under the hood, it uses EC2, ASG, ALB, and CloudWatch.
What is AWS OpsWorks?
Answer: OpsWorks is a configuration management service, based on Chef (OpsWorks Chef Automate) or Puppet (OpsWorks Puppet Enterprise). It is for advanced users who need custom automation; Elastic Beanstalk or CodeDeploy are often simpler.
What is AWS CodePipeline?
Answer: CodePipeline is a fully managed CI/CD service that orchestrates build, test, and deploy stages. Integrates with CodeCommit (Git), CodeBuild (build), CodeDeploy (deploy), and third‑party tools (Jenkins, GitHub). Automates release pipelines.
What is AWS CodeBuild?
Answer: CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces artifacts. You pay per minute of build time. No need to manage build servers. Can be triggered by CodePipeline, CodeCommit, or custom events.
What is AWS CodeDeploy?
Answer: CodeDeploy automates application deployments to EC2, on‑premise servers, Lambda, or ECS. Supports blue‑green deployments, in‑place rolling updates, and canary deployments. Uses an appspec file to define hooks.
What is the difference between RDS read replica and Amazon Aurora Replica?
Answer: RDS read replica uses asynchronous replication, can be promoted, and is not included in failover (must be manually promoted). Aurora Replica shares the same underlying storage (faster promotion), is synchronous within a cluster, and supports auto‑promotion if primary fails. Aurora can have up to 15 replicas with near‑real‑time lag.
What is Amazon Aurora Serverless?
Answer: Aurora Serverless is an on‑demand, auto‑scaling configuration for Aurora (MySQL and PostgreSQL compatible). It automatically starts, scales capacity based on workload, and shuts down during inactivity. Billed per second of capacity units (ACU). Good for intermittent or unpredictable workloads.
What is DynamoDB DAX?
Answer: DAX (DynamoDB Accelerator) is an in‑memory cache for DynamoDB, delivering microsecond latency for read‑heavy applications. It is API‑compatible with DynamoDB, requiring no code changes. Use DAX to offload read traffic from DynamoDB and reduce costs.
What is Amazon ElastiCache and what engines does it support?
Answer: ElastiCache is a managed in‑memory caching service. Engines: Redis (open source, advanced data structures, persistence, replication, Sorted Sets, Streams) and Memcached (simple key‑value, multithreaded, no persistence). Used for database query caching, session storage, real‑time analytics.
What is AWS Lambda concurrency?
Answer: Concurrency is the number of Lambda function instances serving requests concurrently. Reserved concurrency guarantees capacity for a function; unreserved concurrency shares a pool (default 1000 per region). Provisioned concurrency keeps instances initialized for low latency.
What is AWS Step Functions?
Answer: Step Functions is a serverless orchestration service that coordinates multiple AWS services (Lambda, ECS, Batch, etc.) into workflows using visual state machines. Supports sequential, parallel, branching, and error handling. Two types: Standard (durable, exactly once) and Express (high‑throughput, at‑most‑once).
What is Amazon SQS (Simple Queue Service)?
Answer: SQS is a fully managed message queuing service for decoupling components. Two types: Standard (high throughput, at‑least‑once delivery, best‑effort ordering) and FIFO (first‑in‑first‑out, exactly‑once, limited throughput). Messages retained up to 14 days. Visibility timeout and dead‑letter queues available.
What is Amazon SNS?
Answer: Simple Notification Service (SNS) is a pub/sub messaging service. Publishers send messages to topics; subscribers receive messages via protocols: HTTP/S, email, SQS, Lambda, SMS, mobile push, etc. Fan‑out pattern: one message to many subscribers.
What is the difference between SQS and SNS?
Answer: SQS is a queue (point‑to‑point) where messages are processed by one consumer and deleted. SNS is a topic (pub‑sub) where messages are delivered to multiple subscribers simultaneously. They are often used together: fan out via SNS to multiple SQS queues.
What is Amazon Kinesis?
Answer: Kinesis is a platform for real‑time streaming data. Kinesis Data Streams – custom streams, record retention up to 365 days, shard–based scaling. Kinesis Data Firehose – loads streams into destinations (S3, Redshift, Elasticsearch, Splunk). Kinesis Data Analytics – real‑time SQL processing on streams.
What is AWS Glue?
Answer: Glue is a serverless ETL (extract, transform, load) service. It discovers data (crawlers), catalogs metadata (Glue Data Catalog), and runs ETL jobs (Spark or Python). Integrates with Athena, EMR, Redshift, S3.
What is AWS Athena?
Answer: Athena is a serverless query service that runs SQL directly on data stored in S3. No infrastructure to manage. Pay per query (by data scanned). Uses Presto engine. Ideal for ad‑hoc analytics, logs, and CSV, JSON, Parquet, ORC data.
What is Amazon Redshift?
Answer: Redshift is a petabyte‑scale data warehouse, columnar storage, MPP architecture. Use for analytics and business intelligence. Redshift Spectrum allows querying data directly in S3. Concurrency scaling and AWS managed but requires provisioning.
What is AWS ECS vs EKS?
Answer: ECS (Elastic Container Service) is a managed container orchestration service (AWS proprietary, simpler). EKS (Elastic Kubernetes Service) is managed Kubernetes (open standard, more portable, larger ecosystem). Both can run on EC2 or Fargate (serverless).
What is AWS Fargate?
Answer: Fargate is a serverless compute engine for containers. You define CPU and memory, and AWS runs the containers without managing underlying EC2 instances or clusters. Works with ECS and EKS.
What is an Elastic Container Registry (ECR)?
Answer: ECR is a fully managed Docker container registry (private and public). Stores, manages, and deploys Docker images. Integrates with ECS, EKS, and CodeBuild. Supports image scanning for vulnerabilities.
What is AWS Budgets?
Answer: AWS Budgets lets you set custom cost or usage thresholds and receive alerts (SNS) when exceeded. It can also track RI utilization and coverage. Helps avoid surprise bills.
What is AWS Cost Explorer?
Answer: Cost Explorer is a tool for visualizing, analyzing, and forecasting AWS costs. Provides charts, filters (by service, region, tag, instance type), and RI recommendations. Good for historical cost analysis.
What are AWS Trusted Advisor?
Answer: Trusted Advisor is an online tool that inspects your AWS environment and provides recommendations in five categories: cost optimization, performance, security, fault tolerance, service limits. Basic checks free for all accounts; full checks require Business or Enterprise support.
What is an AWS Service Limit (Quota)?
Answer: AWS sets default limits per account (e.g., 5 VPCs per region, 100 IAM users). You can request increases via AWS Support. Trusted Advisor tracks service limits.
What is the difference between an EC2 security group rule allowing 0.0.0.0/0 and allowing a specific IP?
Answer: 0.0.0.0/0 allows all IPv4 addresses (public internet). Specific IP (e.g., 203.0.113.5/32) restricts to a single address. Opening to 0.0.0.0/0 should be avoided for internal services, but may be needed for public web servers (with proper WAF/shield).
What is an AWS Outpost?
Answer: Outposts is a fully managed service that extends AWS infrastructure to on‑premises data centers. You run EC2, EBS, RDS, EKS, and other services locally, connected to the AWS region. Provides consistent hybrid cloud experience.
What is AWS Wavelength?
Answer: Wavelength is an AWS edge service that embeds compute and storage at the edge of 5G networks (carrier partners). Enables ultra‑low latency applications (autonomous vehicles, AR/VR, gaming) without leaving the mobile network.
What is an AWS Local Zone?
Answer: A local zone is an extension of an AWS region placed close to a large population center (e.g., Los Angeles). Provides low‑latency at the edge for applications like media rendering, real‑time gaming, or VDI. Not globally distributed like CloudFront edges.
What are the AWS Well‑Architected Framework pillars?
Answer: Six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability. AWS provides a review tool to assess workloads against these principles.
How do you reduce costs in AWS?
Answer: Use spot instances for fault‑tolerant workloads, right‑size EC2 (CloudWatch metrics), use Reserved Instances or Savings Plans, set up S3 lifecycle policies (move to Glacier), delete unattached EBS volumes and EIPs, use S3 Intelligent‑Tiering, and enable AWS Budgets.
What is an AWS Snowball device?
Answer: Snowball is a data transport device (physical appliance) for large‑scale data migration to AWS (petabytes). Snowball Edge also includes compute capacity. Alternative to uploading over network. Used for offline migration, edge processing.
What is AWS DataSync?
Answer: DataSync is an online data transfer service for moving large amounts of data between on‑premises storage and AWS (S3, EFS, FSx). Uses agent and secures data with TLS; incremental, scheduled transfers.
How would you debug a high CPU on an EC2 instance?
Answer: Use CloudWatch metrics and EC2 console. SSH into instance, run top, htop, mpstat. Check application logs, look for memory leaks, infinite loops, or spikes in requests. Implement auto‑scaling to add capacity, or upgrade instance type. Also check if instance is t2/t3 unlimited credit exhaustion.
Your S3 bucket is suddenly receiving many unauthorized requests. What steps would you take?
Answer: First, enable CloudTrail data events for the bucket to log requests. Check bucket policy and ACL – ensure not public unless intended. Use CloudFront signed URLs or cookies if you need controlled access. If it’s a DDoS, apply AWS WAF with rate limiting rules. If it’s a malicious actor, rotate credentials and consider prefix‑based blocking with bucket policies.
What is an AWS Service Control Policy (SCP)?
Answer: SCPs are policies in AWS Organizations that define the maximum available permissions for accounts in an organizational unit (OU) or the entire organization. They do not grant permissions; they restrict them. Useful for compliance: e.g., prevent disabling CloudTrail, or deny region usage.
What is an AWS Config rule?
Answer: Config rules evaluate resource configurations against desired settings. Managed rules provided by AWS (e.g., s3-bucket-public-read-prohibited). Custom rules run on Lambda triggers. Config can auto‑remediate notifications.
What is AWS Systems Manager (SSM)?
Answer: Systems Manager provides operational management for EC2 and on‑premises. Features: Run Command (execute scripts across instances), Patch Manager (automated OS patching), Session Manager (shell access without SSH), Parameter Store (secure configuration storage), and Inventory.
What is AWS Parameter Store?
Answer: Parameter Store is a managed key‑value store for configuration data (strings, secrets, DB strings). Can store plaintext or encrypted with KMS. Supports hierarchical structure, versioning, and TTL. Integrated with CloudFormation, Lambda, EC2, Secrets Manager.
What is AWS Secrets Manager?
Answer: Secrets Manager is designed specifically for secrets (passwords, API keys, database credentials). Automates rotation for RDS, Redshift, DocumentDB (built‑in), or custom secrets with Lambda. More expensive than Parameter Store but has automatic rotation.
What is the AWS Global Accelerator?
Answer: Global Accelerator improves global application performance by directing traffic over the AWS backbone (instead of the public internet). Uses anycast IP addresses and handles TCP/UDP. Unlike CloudFront (caching), Global Accelerator works for dynamic content and non‑HTTP.
What are the common AWS disaster recovery strategies?
Answer: Backup and Restore (RPO hours, RTO hours) – simplest, cheapest. Pilot Light (small core replicated, scaled on failover). Warm Standby (scaled‑down environment ready). Multi‑Site Active‑Active (full production in two regions, lowest RPO/RTO but expensive). Use RDS Multi‑AZ, Cross‑Region Replication for S3, CloudFront for static assets, Route53 failover.
Why should we hire you as an AWS engineer?
Answer: I have strong working knowledge of core AWS services (EC2, S3, VPC, IAM, RDS, Lambda). I understand the shared responsibility model and follow security best practices. I can design for high availability and cost optimization. I have hands‑on experience with Infrastructure as Code (CloudFormation/Terraform) and CI/CD. I am proactive in monitoring and troubleshooting using CloudWatch, CloudTrail, and X‑Ray. I enjoy solving real‑world cloud problems and continuously upskilling.