💼 AWS Interview Questions#

This chapter contains 50+ AWS interview questions organized by topic. These are commonly asked in Solutions Architect interviews at mid-to-senior level positions.

1. General AWS Questions#

Q1: What is the difference between scalability, elasticity, and high availability?#

Answer:

Example: Auto Scaling gives elasticity. Multi-AZ gives HA.

Q2: Explain the Shared Responsibility Model.#

Answer: AWS is responsible for security OF the cloud (physical security, hardware, networking, managed services). The customer is responsible for security IN the cloud (OS patching, IAM, data encryption, network configuration).

Q3: What is the Well-Architected Framework?#

Answer: A framework of 6 pillars for building reliable, secure, efficient, and cost-effective systems:

1. Operational Excellence
2. Security
3. Reliability
4. Performance Efficiency
5. Cost Optimization
6. Sustainability

Q4: Explain the difference between vertical and horizontal scaling.#

2. Compute (EC2, Lambda)#

Q5: When would you use EC2 vs Lambda?#

Q6: Explain the different EC2 purchasing options.#

Answer:

• On-Demand — Pay per hour, no commitment. Spiky/unpredictable workloads.
• Reserved — 1-3 year commitment. Steady-state workloads (up to 72% off).
• Spot — Up to 90% off but can be terminated. Batch, fault-tolerant.
• Dedicated — Physical server. Licensing/compliance requirements.

Q7: What happens when a Spot Instance is terminated?#

Answer: You get a 2-minute interruption notice. Use this time to:

1. Save checkpoints/data to S3 or EFS
2. Gracefully shut down processes
3. Use Lifecycle Hooks to trigger automation

Q8: How do you make EC2 instances highly available?#

Answer:

1. Deploy across at least 2 Availability Zones
2. Use Auto Scaling Group with min 2 instances
3. Use ALB with cross-zone load balancing
4. Use RDS Multi-AZ for database
5. Use Route53 health checks and failover routing

3. Storage (S3, EBS, EFS)#

Q9: When would you choose S3 vs EBS vs EFS?#

Answer:

Q10: How do you secure data in S3?#

Answer:

1. Encryption at rest — SSE-S3, SSE-KMS, SSE-C
2. Encryption in transit — HTTPS (CloudFront)
3. IAM policies — Least privilege
4. Bucket policies — Restrict access by IP, VPC, MFA
5. Block Public Access settings
6. Versioning — Protect against accidental deletion
7. Object Lock — WORM compliance

Q11: Explain S3 storage classes and when to use each.#

Answer:

Q12: What is S3 Transfer Acceleration?#

Answer: Uses AWS Edge Locations to accelerate uploads over long distances. Best for large files uploaded from far away. Not beneficial for small files or nearby regions.

4. Networking (VPC)#

Q13: Design a VPC for a 3-tier web application.#

Answer:

├── Public Subnets (AZ-1a, AZ-1b)
│   ├── ALB
│   └── NAT Gateway
├── Private Subnets (AZ-1a, AZ-1b)
│   ├── EC2 (Auto Scaling)
│   └── Application Tier
├── Database Subnets (AZ-1a, AZ-1b)
│   ├── RDS (Multi-AZ)
│   └── ElastiCache

Q14: What’s the difference between a Security Group and a NACL?#

Answer:

Q15: How would you connect two VPCs in different regions?#

Answer: Use VPC Peering (cross-region) or Transit Gateway for more than 5 VPCs.

5. Databases#

Q16: What’s the difference between Multi-AZ and Read Replicas in RDS?#

Answer:

Q17: When should you use DynamoDB vs RDS?#

Answer:

Q18: What is DynamoDB DAX and when would you use it?#

Answer: DAX (DynamoDB Accelerator) is an in-memory cache that provides microsecond latency for read-heavy workloads. Use for real-time apps, gaming leaderboards, or hot read-heavy data.

6. High Availability & Disaster Recovery#

Q19: Explain the four DR strategies on AWS.#

Answer:

1. Backup & Restore — Lowest cost, highest RTO (hours). Recover from snapshots.
2. Pilot Light — Core services running in DR. Scale up on failover. RTO: ~30min.
3. Warm Standby - Scaled-down prod running in DR. Scale up on failover. RTO: ~5min.
4. Multi-Site Active-Active — Full prod in 2+ regions. RTO: near zero. Highest cost.

Q20: What’s the difference between RTO and RPO?#

Answer:

7. Security & Compliance#

Q21: How does KMS envelope encryption work?#

Answer:

1. Generate a Data Encryption Key (DEK) from KMS
2. Encrypt data with plaintext DEK (locally)
3. Store encrypted DEK with data
4. Decrypt: KMS decrypts DEK → Use DEK to decrypt data

This avoids the 1 MB limit of direct KMS encryption.

Q22: What’s the difference between IAM roles and resource-based policies?#

Answer:

Q23: Explain how you would implement least privilege access.#

Answer:

1. Start with deny all (explicit Deny)
2. Grant only necessary permissions
3. Use conditions (IP, time, MFA)
4. Use permission boundaries to limit max permissions
5. Use SCPs for organizational guardrails
6. Use IAM Access Analyzer to identify over-permissive policies
7. Review and rotate keys every 90 days

8. Cost Optimization#

Q24: How would you reduce EC2 costs by 40%?#

Answer:

1. Right-size instances (downsize over-provisioned)
2. Use Savings Plans or Reserved Instances (30-72% off)
3. Use Spot Instances for fault-tolerant workloads (90% off)
4. Stop unused instances during non-business hours
5. Use Auto Scaling to match demand
6. Use T3 burstable for variable workloads

Q25: What’s the difference between a Cost Budget and a Usage Budget?#

Answer:

9. Scenario-Based Questions#

Q26: A company has a web app that stores session data on EC2 instances. Users are getting errors during high traffic. What do you recommend?#

Answer: Make the app stateless by moving session data to ElastiCache (Redis). This allows any instance to serve any user, enabling Auto Scaling.

Q27: A company needs to share large files (10GB+) with external partners securely. What’s the best approach?#

Answer: Store files in S3 with pre-signed URLs (time-limited access). Use CloudFront for faster downloads globally.

Q28: A database migration from Oracle to Aurora PostgreSQL requires minimal downtime. What do you use?#

Answer: Use AWS DMS (Database Migration Service) with ongoing replication (CDC). Use AWS SCT for schema conversion.

10. Architecture Design Questions#

Q29: Design a real-time analytics pipeline for 10TB of daily data.#

Answer:

IoT Devices → Kinesis Data Streams → Kinesis Data Analytics → S3
                              ↓
                        Lambda (transform)
                              ↓
                        OpenSearch Service

Q30: Design a global e-commerce platform with < 100ms latency worldwide.#

Answer:

1. Route53 with latency-based routing
2. CloudFront CDN at Edge Locations for static content
3. DynamoDB Global Tables for active-active multi-region DB
4. Global Accelerator for dynamic content routing
5. Lambda@Edge for user-specific logic at Edge

✅ Chapter Quiz#

1. What is the difference between scalability and elasticity?

   • A) They are the same
   • B) Scalability handles increased load; elasticity dynamically adjusts resources based on demand
   • C) Elasticity handles increased load; scalability dynamically adjusts resources
   • D) Neither relates to resource management

2. Under the Shared Responsibility Model, who is responsible for patching the OS on an EC2 instance?

   • A) AWS
   • B) The customer
   • C) Both
   • D) Third-party vendor

3. Which of the Well-Architected Framework pillars focuses on recovering from failures?

   • A) Security
   • B) Reliability
   • C) Performance Efficiency
   • D) Operational Excellence

4. What is the maximum retention period for CloudWatch Logs?

   • A) 90 days
   • B) 1 year
   • C) 5 years
   • D) 10 years

5. Which EC2 purchasing option is best for a fault-tolerant batch processing workload?

   • A) On-Demand
   • B) Reserved
   • C) Spot
   • D) Dedicated

6. What is the difference between Multi-AZ and Read Replicas in RDS?

   • A) Multi-AZ is for HA with synchronous replication; Read Replicas are for read scaling with async replication
   • B) They are the same feature
   • C) Read Replicas provide HA; Multi-AZ provides read scaling
   • D) Multi-AZ requires manual failover

7. Which AWS service is used to create a private, dedicated network connection from on-premises to AWS?

   • A) VPN
   • B) Direct Connect
   • C) VPC Peering
   • D) Transit Gateway

8. What is the purpose of an S3 pre-signed URL?

   • A) To make objects public
   • B) To grant time-limited access to a private object
   • C) To accelerate uploads
   • D) To encrypt objects

9. Which AWS service provides managed threat detection using ML?

   • A) Inspector
   • B) GuardDuty
   • C) Macie
   • D) Security Hub

10. What is the RPO of Aurora Global Database?

    • A) Under 1 second
    • B) 5 seconds
    • C) 1 minute
    • D) 5 minutes

11. Which AWS service would you use to store application configuration parameters with encryption?

    • A) DynamoDB
    • B) Parameter Store (SecureString)
    • C) S3
    • D) CloudFormation

12. How does KMS handle data larger than 1 MB?

    • A) It can encrypt any size
    • B) It uses envelope encryption with a data key
    • C) It compresses the data first
    • D) It rejects the request

13. What is the difference between a Security Group and a NACL?

    • A) Security Groups are stateless; NACLs are stateful
    • B) Security Groups are stateful; NACLs are stateless
    • C) Both are stateful
    • D) Both are stateless

14. Which service provides automatic failover for an RDS database across Availability Zones?

    • A) Read Replicas
    • B) Multi-AZ
    • C) Automated backups
    • D) Snapshots

15. What is the primary use case for DynamoDB DAX?

    • A) Cross-region replication
    • B) In-memory caching for microsecond read latency
    • C) Data warehousing
    • D) Stream processing

16. Which S3 storage class is best for data with unknown or changing access patterns?

    • A) S3 Standard
    • B) S3 Intelligent-Tiering
    • C) S3 Glacier
    • D) S3 One Zone-IA

17. What is the purpose of an IAM role?

    • A) To create a user with permanent credentials
    • B) To grant temporary permissions to a trusted entity
    • C) To set a password policy
    • D) To manage billing

18. Which AWS service should be used to decouple microservices for asynchronous communication?

    • A) SQS
    • B) API Gateway
    • C) ELB
    • D) CloudFront

19. What is the maximum time a Lambda function can run?

    • A) 5 minutes
    • B) 10 minutes
    • C) 15 minutes
    • D) 30 minutes

20. Which DR strategy has the lowest cost but highest RTO?

    • A) Multi-Site Active-Active
    • B) Warm Standby
    • C) Pilot Light
    • D) Backup & Restore

21. What is the purpose of AWS Control Tower?

    • A) To set up and govern a secure multi-account AWS environment
    • B) To monitor EC2 instances
    • C) To manage database migrations
    • D) To deploy containers

22. Which AWS service provides a managed Apache Kafka service?

    • A) SQS
    • B) MSK (Managed Streaming for Kafka)
    • C) Kinesis
    • D) SNS

23. What is the primary benefit of using Fargate over EC2 launch type for ECS?

    • A) Full control over the operating system
    • B) No need to manage underlying servers
    • C) Lower cost
    • D) Higher performance

24. Which routing policy in Route53 is used to route traffic based on geographic location of the user?

    • A) Latency
    • B) Geolocation
    • C) Failover
    • D) Weighted

25. What does the AWS Well-Architected Framework’s Sustainability pillar focus on?

    • A) Reducing carbon footprint and energy consumption
    • B) Improving security
    • C) Reducing costs
    • D) Increasing performance

📚 Additional Resources#

• AWS Interview Questions (Official)
• AWS Architecture Center
• AWS re:Post Interview Prep

Next → Real-World Scenarios