AWS Interview Questions

AWS (Amazon Web Services) is a cloud computing platform offering on-demand infrastructure and services. Core components include compute (EC2, Lambda), storage (S3, EBS), databases (RDS, DynamoDB), networking (VPC, Route 53), and security (IAM, KMS).

S3 is object storage accessible over HTTP, ideal for unstructured data, backups, and static assets, with virtually unlimited capacity. EBS (Elastic Block Store) is block-level storage attached to a single EC2 instance, behaving like a hard drive for OS and application data.

An IAM User represents a person or application with long-term credentials (username/password or access keys). An IAM Role is an identity with temporary credentials assumed by AWS services, users, or external identities, and has no permanent credentials attached to it.

A VPC (Virtual Private Cloud) is a logically isolated network within AWS where you control IP addressing, subnets, route tables, and gateways. It is important because it provides network-level security and segmentation for your AWS resources.

A public subnet has a route to an Internet Gateway, allowing resources to be reachable from the internet. A private subnet has no direct internet route; resources access the internet only through a NAT Gateway or NAT instance.

S3 storage classes include Standard (frequently accessed data), Intelligent-Tiering (automatic cost optimization), Standard-IA and One Zone-IA (infrequent access), Glacier Instant/Flexible/Deep Archive (long-term archival with varying retrieval times), and S3 Express One Zone (high-performance single-AZ).

Auto Scaling automatically adjusts the number of EC2 instances (or other resources) in response to demand using scaling policies based on CloudWatch metrics. It ensures availability by replacing unhealthy instances and controls cost by scaling in when demand drops.

Vertical scaling (scale up) means increasing the instance size (CPU/RAM), which requires downtime and has limits. Horizontal scaling (scale out) means adding more instances, is achieved with Auto Scaling Groups and load balancers, and is preferred for resilience and elasticity.

CloudFront is AWS's CDN that caches content at globally distributed edge locations close to end users, reducing latency. It also integrates with Shield and WAF for DDoS protection and can front S3, EC2, ALB, or custom origins.

ALB operates at Layer 7 (HTTP/HTTPS), supporting path-based and host-based routing, WebSockets, and gRPC — ideal for microservices. NLB operates at Layer 4 (TCP/UDP), handling millions of requests per second with ultra-low latency and static IP support.

RDS is a managed relational database service supporting SQL engines (MySQL, PostgreSQL, Aurora, etc.) suited for structured, relational data with ACID transactions. DynamoDB is a fully managed NoSQL key-value and document database designed for single-digit millisecond latency at any scale.

AWS is responsible for security 'of' the cloud — hardware, global infrastructure, managed services. Customers are responsible for security 'in' the cloud — OS patching, application security, IAM configuration, data encryption, and network controls within their environment.

SQS is a managed message queue for decoupling producers and consumers; messages are pulled by consumers and held until processed or expired. SNS is a pub/sub notification service that pushes messages to multiple subscribers (SQS, Lambda, HTTP, email) simultaneously — they are often combined in a fan-out pattern.

Lambda is a serverless compute service that runs code in response to events without provisioning servers, billing only for execution time. Cold starts occur when a new execution environment is initialized (container spin-up + runtime init), adding latency; mitigations include Provisioned Concurrency, keeping functions warm, and minimizing package size.

Security Groups are stateful, instance-level firewalls that evaluate rules for both inbound and outbound traffic automatically. Network ACLs are stateless, subnet-level firewalls where return traffic must be explicitly allowed; they are evaluated in rule-number order.

CloudFormation is AWS's native IaC service using JSON/YAML templates to provision AWS resources, with native drift detection and StackSets for multi-account deployments. Terraform is a vendor-agnostic IaC tool using HCL that supports multi-cloud, has a richer ecosystem of modules, and manages state explicitly in a backend.

VPC Endpoints allow private connectivity between a VPC and AWS services (like S3 or DynamoDB) without traversing the public internet, reducing exposure and data transfer costs. Gateway Endpoints are route-table-based (S3/DynamoDB); Interface Endpoints use PrivateLink and ENIs for most other services.

Transit Gateway acts as a regional network hub connecting multiple VPCs and on-premises networks via a single managed gateway, supporting transitive routing. VPC Peering is a 1-to-1 non-transitive connection; Transit Gateway is preferred when managing many VPCs to avoid the complexity of a full mesh peering topology.

Multi-AZ synchronously replicates data to a standby in a different AZ for automatic failover, providing high availability (HA) with typically 60–120 second failover — it does not serve read traffic. Read Replicas use asynchronous replication to offload read workloads and can be promoted to standalone DBs, but are not a HA failover mechanism.

SCPs are IAM-like policies attached to AWS Organizations OUs or accounts that define the maximum permissions available to all principals within those accounts, even overriding root users. They do not grant permissions themselves; effective permissions are the intersection of SCPs and identity-based policies, making them a preventive guardrail for governance.