AWS interviews test your understanding of cloud fundamentals, core services, networking, security, and architecture patterns. This guide covers the 50 most common questions — with concise answers, comparisons, and real examples.
Quick reference
| Topic | Most asked questions |
|---|---|
| Core concepts | Regions, AZs, edge locations, shared responsibility |
| IAM | Users/roles/policies, least privilege, STS |
| Compute | EC2 types, Lambda, ECS vs EKS, Auto Scaling |
| Storage | S3 classes, EBS vs EFS, Glacier |
| Databases | RDS vs DynamoDB, Aurora, ElastiCache |
| Networking | VPC, Security Groups vs NACL, Route 53, CloudFront |
| Messaging | SQS vs SNS vs EventBridge, Kinesis |
| Monitoring | CloudWatch, CloudTrail, X-Ray |
| IaC | CloudFormation, CDK, SAM |
| Architecture | Well-Architected Framework, HA patterns |
Core Concepts
1. What is the difference between an AWS Region, Availability Zone, and Edge Location?
| Concept | Definition | Example |
|---|---|---|
| Region | Independent geographic area containing multiple AZs | us-east-1 (N. Virginia) |
| Availability Zone (AZ) | One or more discrete data centres within a Region with independent power/cooling/networking | us-east-1a, us-east-1b |
| Edge Location | AWS PoP used by CloudFront and Route 53 for low-latency delivery | 400+ worldwide |
| Local Zone | Extension of a Region placing compute closer to end users | us-east-1-bos-1 (Boston) |
| Wavelength Zone | AZ embedded in telecom networks for ultra-low latency 5G apps | Verizon, Vodafone |
Design for multi-AZ by default; consider multi-Region only for disaster recovery or global low latency.
2. What is the AWS Shared Responsibility Model?
AWS divides security responsibilities between the provider and the customer:
| Layer | AWS Responsible For | Customer Responsible For |
|---|---|---|
| Physical | Data centres, hardware, networking | — |
| Hypervisor / Host OS | EC2 host patching | — |
| Guest OS | — | Patching Windows/Linux on EC2 |
| Application | — | Application code, data, configuration |
| Network controls | VPC infrastructure | Security Groups, NACLs, firewalls |
| Data | — | Encryption, access control, backups |
| Identity | IAM service | IAM users, roles, policies |
"Security of the cloud" = AWS. "Security in the cloud" = customer.
3. What are the main AWS Global Infrastructure components?
- 33 Regions (2024), each with ≥3 AZs
- 105 AZs across all regions
- 400+ Edge Locations for CloudFront
- AWS Outposts — AWS hardware in your on-premises data centre
- AWS Local Zones — single-digit ms latency for target metro areas
- AWS Wavelength — embedded in 5G carrier networks
IAM
4. What are the differences between IAM Users, Groups, Roles, and Policies?
| Concept | Description | Use case |
|---|---|---|
| User | Long-term identity for a person or service | Human with console/CLI access |
| Group | Collection of users sharing the same policies | "Developers" group with S3 read |
| Role | Temporary identity assumed by services or users | EC2 reading S3, cross-account access |
| Policy | JSON document defining Allow/Deny permissions | Attached to users, groups, or roles |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
5. What is the principle of least privilege in IAM?
Grant only the minimum permissions required to perform a task:
- Start with no permissions and add incrementally
- Use IAM Access Analyzer to identify unused permissions
- Use service control policies (SCPs) in AWS Organizations for guardrails
- Prefer roles over long-term access keys
- Enable MFA for all human users, especially root
- Rotate access keys regularly; use
aws iam generate-credential-report
6. What is AWS STS and when do you use it?
AWS Security Token Service (STS) issues temporary, limited-privilege credentials.
Common use cases:
| Scenario | STS API |
|---|---|
| EC2 assuming a role | AssumeRole (automatic via instance profile) |
| Cross-account access | AssumeRole with role ARN in another account |
| Federated users (SAML/OIDC) | AssumeRoleWithSAML / AssumeRoleWithWebIdentity |
| Multi-factor auth | GetSessionToken |
Temporary credentials expire (15 min–36 h) and do not need to be rotated manually.
7. What is the difference between an identity-based policy and a resource-based policy?
| Type | Attached to | Example |
|---|---|---|
| Identity-based | IAM user, group, or role | Allow user to write to S3 |
| Resource-based | Resource itself (S3 bucket, SQS queue, Lambda) | Allow another account to read from your S3 bucket |
Resource-based policies enable cross-account access without assuming a role. Both policies must allow the action for cross-account access to succeed.
Compute
8. What are the EC2 instance purchasing options?
| Option | Commitment | Savings vs On-Demand | Best for |
|---|---|---|---|
| On-Demand | None | Baseline | Unpredictable workloads |
| Reserved (1 or 3 yr) | 1–3 years | Up to 72% | Steady-state production |
| Savings Plans | 1–3 years ($/hour commit) | Up to 66% | Flexible compute (EC2 + Lambda + Fargate) |
| Spot | None | Up to 90% | Fault-tolerant, batch, CI/CD |
| Dedicated Host | Optional | Varies | Licensing (Windows/Oracle), compliance |
| Dedicated Instance | None | Small | Tenancy isolation |
9. What is the difference between vertical and horizontal scaling on EC2?
| Type | How | AWS mechanism | Downtime? |
|---|---|---|---|
| Vertical (scale up) | Larger instance type | Stop → change type → start | Brief (minutes) |
| Horizontal (scale out) | More instances | Auto Scaling Group + Load Balancer | Zero downtime |
Horizontal scaling is preferred for availability and cost efficiency. Use Auto Scaling Groups with min/desired/max counts and scaling policies (Target Tracking, Step, Scheduled).
10. What is AWS Lambda and when should you not use it?
Lambda runs code in response to events without managing servers. Billed per invocation and execution duration (1ms granularity).
Limitations that make Lambda a poor fit:
- Execution timeout: max 15 minutes (use ECS/Fargate for longer tasks)
- Cold starts add latency (mitigate with Provisioned Concurrency)
- Package size: 50 MB zipped / 250 MB unzipped (use Lambda Layers or container images up to 10 GB)
- Memory: up to 10 GB (CPU scales proportionally)
- Stateless by design (use DynamoDB, ElastiCache, or EFS for state)
- Not ideal for high-throughput streaming (use Kinesis + Lambda carefully)
11. What is the difference between ECS and EKS?
| Aspect | ECS | EKS |
|---|---|---|
| Orchestrator | AWS-native (proprietary) | Kubernetes (open standard) |
| Learning curve | Lower | Higher (K8s knowledge needed) |
| Launch types | EC2 and Fargate | EC2, Fargate, and Outposts |
| Ecosystem | AWS-only | Portable (any K8s cluster) |
| Operational overhead | Less | More (control plane managed by AWS, but more config) |
| Cost | Task-level billing (Fargate) | EKS cluster: $0.10/hour + nodes |
| Best for | Teams fully invested in AWS | Multi-cloud, K8s-native tooling |
Both support Fargate (serverless compute — no EC2 node management).
12. How does Auto Scaling work?
Auto Scaling adjusts the number of EC2 instances (or other resources) based on demand:
┌──────────────────────────────┐
│ Auto Scaling Group │
Traffic ──────►│ min=2 desired=4 max=10 │
│ ┌──┐ ┌──┐ ┌──┐ ┌──┐ │
│ │ │ │ │ │ │ │ │ │
└──┴──┴─┴──┴─┴──┴─┴──┴───────┘
│
Health check via ALB
Scaling policies:
- Target Tracking — maintain a metric at a target (e.g., CPU = 50%). Recommended.
- Step Scaling — add/remove based on CloudWatch alarm thresholds
- Scheduled — pre-warm for known traffic spikes
- Predictive — ML-based future demand forecasting
Storage
13. What are the S3 storage classes and when do you use each?
| Storage Class | Access | Retrieval | Min Duration | Use case |
|---|---|---|---|---|
| Standard | Frequent | Instant | None | Active data, websites |
| Intelligent-Tiering | Unknown | Instant | None | Unpredictable access patterns |
| Standard-IA | Infrequent | Instant | 30 days | Backups, DR |
| One Zone-IA | Infrequent | Instant | 30 days | Reproducible data (no multi-AZ) |
| Glacier Instant | Archival | Instant | 90 days | Archives accessed occasionally |
| Glacier Flexible | Archival | 1–12 hours | 90 days | Long-term backups |
| Glacier Deep Archive | Archival | ≤48 hours | 180 days | Regulatory 7–10 yr retention |
Use S3 Lifecycle Rules to automatically transition objects between classes.
14. What is the difference between EBS, EFS, and S3?
| Feature | EBS | EFS | S3 |
|---|---|---|---|
| Type | Block storage | Network file system (NFS) | Object storage |
| Access | Single EC2 (Multi-Attach with io2) | Multiple EC2 simultaneously | HTTP API from anywhere |
| Latency | Sub-ms (attached) | Low ms | 10–100ms |
| Sizing | Fixed (provision in advance) | Elastic (auto-grows) | Virtually unlimited |
| Durability | 99.8–99.999% (within AZ or replicated) | 99.999999999% (multi-AZ) | 99.999999999% |
| Use case | OS disk, database, transactional | Shared config, CMS, Lambda /tmp |
Backups, static assets, data lake |
15. What is S3 versioning and how does it relate to S3 Object Lock?
Versioning keeps multiple variants of an object. Deleted objects get a delete marker instead of being removed, allowing recovery.
Object Lock adds immutability on top of versioning:
| Mode | Behavior |
|---|---|
| Governance | Users with special IAM permission can overwrite/delete |
| Compliance | No one — including root — can delete until retention period expires |
| Legal Hold | No expiry; lasts until explicitly removed |
Required for WORM (write once, read many) regulatory requirements.
Databases
16. What is the difference between RDS and DynamoDB?
| Feature | RDS | DynamoDB |
|---|---|---|
| Type | Relational (SQL) | NoSQL (key-value + document) |
| Schema | Fixed schema | Schema-less |
| Scaling | Vertical (+ read replicas) | Horizontal (auto, serverless option) |
| Transactions | Full ACID | Supported (ACID, limited) |
| Query | Flexible SQL | Primary key / GSI only |
| Latency | 1–10ms | Single-digit ms at scale |
| Management | Managed, but choose instance size | Fully serverless option |
| Best for | Complex queries, joins, reporting | High-scale, simple access patterns |
17. What is Amazon Aurora and how does it differ from RDS MySQL?
Aurora is an AWS-built relational DB engine compatible with MySQL and PostgreSQL.
| Feature | RDS MySQL | Aurora MySQL |
|---|---|---|
| Storage | Attached EBS | Distributed cluster volume |
| Replication | Async (replica lag) | Async but shared storage (near-instant replica) |
| Read replicas | Up to 5 | Up to 15 |
| Failover | 60–120 seconds | Typically <30 seconds |
| Storage | Manual provision / storage autoscaling | Auto-grows in 10 GB increments up to 128 TiB |
| Performance | 1× MySQL | Up to 5× MySQL |
| Cost | Lower | Higher (typically 20% more) |
Aurora Serverless v2 scales capacity in fine-grained increments (0.5 ACU steps) — great for variable workloads.
18. What is ElastiCache and when do you use Redis vs Memcached?
ElastiCache is a managed in-memory caching service.
| Feature | Redis | Memcached |
|---|---|---|
| Data types | Strings, hashes, lists, sets, sorted sets, streams | Strings only |
| Persistence | Snapshots (RDB) + AOF | None |
| Replication | Yes (multi-AZ) | No |
| Cluster mode | Yes (sharding) | Yes (multi-threaded) |
| Pub/Sub | Yes | No |
| Geospatial | Yes | No |
| TTL | Yes | Yes |
| Best for | Sessions, leaderboards, pub/sub, rate limiting | Simple caching, multi-threaded scale |
Use Redis in almost all new projects. Memcached has slightly better raw cache throughput with multiple CPU cores.
19. What are DynamoDB Global Secondary Indexes (GSIs)?
A GSI lets you query DynamoDB on attributes other than the primary key.
Table primary key: userId (partition) + createdAt (sort)
GSI: email (partition key) → query by email without scan
- Up to 20 GSIs per table
- GSI has its own provisioned throughput (separate from the base table)
- Eventually consistent reads only
- Data is automatically projected/replicated to the GSI
- Local Secondary Index (LSI) — same partition key, different sort key; must be defined at table creation; strongly consistent reads allowed
Networking
20. What is a VPC and what are its key components?
A Virtual Private Cloud (VPC) is a logically isolated network in AWS.
| Component | Purpose |
|---|---|
| CIDR block | IP address range (e.g., 10.0.0.0/16) |
| Subnet | Sub-range of VPC CIDR in a specific AZ |
| Internet Gateway (IGW) | Enables internet access for public subnets |
| NAT Gateway | Allows private subnet instances to reach the internet (outbound only) |
| Route Table | Rules for directing traffic |
| Security Group | Stateful firewall at the instance/ENI level |
| NACL | Stateless firewall at the subnet level |
| VPC Peering | Private connection between two VPCs |
| Transit Gateway | Hub-and-spoke for connecting many VPCs and on-premises |
| VPC Endpoint | Private connection to AWS services without internet |
21. What is the difference between Security Groups and NACLs?
| Feature | Security Group | NACL |
|---|---|---|
| Stateful | Yes (response traffic automatically allowed) | No (must explicitly allow inbound AND outbound) |
| Applied to | ENI (instance level) | Subnet (affects all instances) |
| Rule types | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated | Rules evaluated in number order (first match wins) |
| Default | Deny all inbound, allow all outbound | Allow all in/out |
| Use case | Per-instance firewall | Subnet-level guardrails (block specific IPs) |
22. What are the types of AWS load balancers and when do you use each?
| Load Balancer | Layer | Protocols | Best for |
|---|---|---|---|
| Application LB (ALB) | 7 (HTTP) | HTTP, HTTPS, WebSocket | Web apps, path/host-based routing, microservices |
| Network LB (NLB) | 4 (Transport) | TCP, UDP, TLS | Ultra-low latency, static IP, TCP passthrough |
| Gateway LB (GWLB) | 3 (Network) | GENEVE | Inline security appliances (firewalls, IDS) |
| Classic LB (CLB) | 4 and 7 | HTTP, HTTPS, TCP | Legacy — avoid for new projects |
ALB supports target groups (EC2, Lambda, IP, containers), sticky sessions, weighted routing, and AWS WAF integration.
23. How does Route 53 routing work?
Route 53 is AWS's authoritative DNS service with health checking and traffic policies:
| Routing Policy | Behaviour |
|---|---|
| Simple | One or more IPs returned randomly |
| Failover | Primary → secondary if health check fails |
| Geolocation | Route based on user's geographic location |
| Geoproximity | Route based on distance (with bias adjustment) |
| Latency | Route to lowest-latency AWS region |
| Weighted | Split traffic by percentage (A/B testing, canary) |
| Multivalue | Return up to 8 healthy IPs (simple load balancing) |
| IP-based | Route based on CIDR blocks |
24. What is CloudFront and what problems does it solve?
CloudFront is AWS's CDN. It caches content at edge locations close to users.
Benefits:
- Reduced latency — serve from nearest PoP
- Offload origin — cache reduces requests to S3/ALB/EC2
- DDoS protection — AWS Shield Standard included free
- HTTPS everywhere — TLS termination at the edge
- Lambda@Edge / CloudFront Functions — run code at edge for A/B testing, auth, redirects
Cache behaviour: objects cached based on Cache-Control headers. Invalidate with /path/* patterns ($0.005 per path after first 1,000/month).
Messaging & Events
25. What is the difference between SQS, SNS, and EventBridge?
| Service | Pattern | Delivery | Retention | Best for |
|---|---|---|---|---|
| SQS | Queue (point-to-point) | Pull | Up to 14 days | Decoupled work queues, async processing |
| SNS | Pub/Sub (fan-out) | Push | None | Notify multiple subscribers (email, SMS, SQS, Lambda) |
| EventBridge | Event bus | Push | 24 hours (archives configurable) | Event-driven architecture, SaaS integration, scheduled rules |
Fan-out pattern: SNS → multiple SQS queues (each subscriber gets a copy).
26. What is SQS visibility timeout and how does it prevent duplicate processing?
When a consumer reads a message, SQS hides it from other consumers for the visibility timeout (default 30s, max 12h).
Consumer A reads message → message hidden for 30s
If A processes and deletes → message gone ✓
If A crashes → timeout expires → message re-appears for retry
- Set visibility timeout > your longest expected processing time
- Use dead-letter queues (DLQ) for messages that fail repeatedly (configure
maxReceiveCount) - SQS FIFO queues provide exactly-once processing using deduplication IDs
27. What is Amazon Kinesis and when do you use it instead of SQS?
| Feature | Kinesis Data Streams | SQS |
|---|---|---|
| Model | Ordered, partitioned stream | Unordered queue |
| Consumers | Multiple (fan-out, each reads independently) | One consumer per message |
| Retention | 1–365 days (replay) | Up to 14 days |
| Throughput | 1 MB/s or 1,000 records/s per shard | Auto-scales |
| Latency | ~200ms | Short poll: immediate; Long poll: up to 20s |
| Best for | Real-time analytics, clickstream, log ingestion | Task queues, decoupling |
Use Kinesis when you need ordering, replay, or multiple independent consumers of the same stream.
Monitoring & Observability
28. What is the difference between CloudWatch and CloudTrail?
| Service | What it records | Use case |
|---|---|---|
| CloudWatch | Metrics, logs, alarms, dashboards, events | Application and infrastructure monitoring |
| CloudTrail | API calls made to AWS services (who did what when) | Auditing, compliance, security investigation |
CloudWatch Logs Insights lets you query log groups with a SQL-like syntax. CloudTrail logs go to S3 or CloudWatch Logs.
29. What are CloudWatch Alarms and how do they work?
Alarms monitor a single metric and transition between states:
OK → ALARM → OK / INSUFFICIENT_DATA
Actions on ALARM:
- Send SNS notification → email, SMS, Lambda
- Trigger Auto Scaling (scale out/in)
- EC2 action (stop, terminate, reboot)
Composite alarms combine multiple alarms with AND/OR logic to reduce alert noise.
30. What is AWS X-Ray?
X-Ray is AWS's distributed tracing service. It:
- Traces requests as they travel across services (Lambda → API Gateway → DynamoDB)
- Generates a service map showing dependencies and latency
- Identifies bottlenecks and error rates per segment
- Groups traces by annotation for filtering
Use X-Ray SDK in your application code and enable active tracing on Lambda / API Gateway.
Security
31. What is AWS KMS and how does encryption work?
AWS Key Management Service (KMS) manages encryption keys.
CMK (Customer Managed Key)
→ KMS generates a Data Encryption Key (DEK)
→ DEK encrypts your data (envelope encryption)
→ Encrypted DEK stored alongside ciphertext
→ KMS decrypts DEK on demand (DEK never stored in plaintext)
| Key type | Who manages key material | Use case |
|---|---|---|
| AWS Managed Keys | AWS | Default (e.g., aws/s3) — no cost, less control |
| Customer Managed Keys (CMK) | Customer | $1/month, full rotation and policy control |
| Customer-provided (BYOK) | Customer | Own HSM, imported into KMS |
Enable automatic key rotation (annually) for CMKs.
32. What is the difference between WAF, Shield, and GuardDuty?
| Service | Protects Against | Layer |
|---|---|---|
| WAF | SQL injection, XSS, bad bots, IP blocking | L7 (HTTP) |
| Shield Standard | Basic DDoS (volumetric, SYN floods) | L3/4 (auto, free) |
| Shield Advanced | Sophisticated DDoS + cost protection + 24/7 DRT | L3/4/7 |
| GuardDuty | Threat detection: anomalous API calls, crypto-mining, compromised credentials | Control plane |
| Macie | Discovers and protects sensitive data in S3 (PII, credentials) | Data level |
| Security Hub | Aggregates findings from GuardDuty, Inspector, Macie, etc. | Aggregator |
33. How do you securely pass secrets to a Lambda function or EC2 instance?
Never hardcode secrets. Preferred approaches:
- AWS Secrets Manager — store database passwords, API keys. Automatic rotation support. Access via SDK in code.
- AWS SSM Parameter Store (SecureString) — cheaper, good for config and non-rotating secrets.
- Environment variables encrypted with KMS — for Lambda, less recommended for sensitive values.
- IAM roles — for AWS API credentials, never use access keys; use instance profiles or execution roles.
import boto3, json
def get_secret(name):
client = boto3.client('secretsmanager')
return json.loads(client.get_secret_value(SecretId=name)['SecretString'])
Infrastructure as Code
34. What is CloudFormation and what are its key concepts?
CloudFormation provisions AWS resources from declarative templates (YAML or JSON).
| Concept | Description |
|---|---|
| Template | YAML/JSON file describing resources |
| Stack | Deployed instance of a template |
| Change Set | Preview of changes before applying |
| Drift detection | Identifies manual changes to stack resources |
| Nested stacks | Reusable sub-templates via AWS::CloudFormation::Stack |
| Stack sets | Deploy stacks across multiple accounts/regions |
| Parameter | Input value passed at deploy time |
| Output | Values exported from a stack (cross-stack references) |
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-data"
VersioningConfiguration:
Status: Enabled
35. What is the difference between CloudFormation and Terraform?
| Feature | CloudFormation | Terraform |
|---|---|---|
| Provider | AWS only | Multi-cloud (AWS, GCP, Azure, Kubernetes…) |
| Language | YAML / JSON | HCL (HashiCorp Configuration Language) |
| State | Managed by AWS | Local or remote (Terraform Cloud, S3) |
| Drift detection | Built-in | terraform plan shows drift |
| CDK support | AWS CDK (generates CF) | CDK for Terraform (CDKtf) |
| Rollback | Automatic on failure | Manual or with -auto-approve flags |
| Community | AWS-native | Largest IaC community |
| Cost | Free | Open source free; Cloud/Enterprise paid |
Use CloudFormation if you're AWS-only. Use Terraform for multi-cloud or when your team prefers HCL and the Terraform ecosystem.
Architecture Patterns
36. What are the five pillars of the AWS Well-Architected Framework?
| Pillar | Focus |
|---|---|
| Operational Excellence | Run and monitor systems, improve processes |
| Security | Protect data, systems, and assets |
| Reliability | Recover from failures, meet demand dynamically |
| Performance Efficiency | Use computing resources efficiently |
| Cost Optimisation | Avoid unnecessary costs |
A sixth pillar was added in 2022: Sustainability — minimise environmental impact.
Use the Well-Architected Tool (free in the console) to review workloads against these pillars.
37. How do you design a highly available architecture on AWS?
Key principles:
- Multi-AZ — deploy across ≥2 AZs for all stateful components (RDS Multi-AZ, ELB, ASG)
- Loose coupling — use SQS/SNS between services to isolate failures
- Stateless compute — store session state in ElastiCache or DynamoDB, not in-process
- Health checks — ALB, Auto Scaling, Route 53 failover routing
- Circuit breaker — implement in code or use App Mesh / service mesh
- Backups + DR — RDS automated backups, S3 versioning, cross-region replication for critical data
- Chaos engineering — test failure modes with AWS Fault Injection Simulator
38. What is the difference between RTO and RPO?
| Metric | Stands for | Meaning | Goal |
|---|---|---|---|
| RTO | Recovery Time Objective | Max acceptable downtime after a failure | Lower = higher cost |
| RPO | Recovery Point Objective | Max acceptable data loss (time) | Lower = more frequent backups |
| DR Strategy | RTO | RPO | Cost |
|---|---|---|---|
| Backup & Restore | Hours | Hours | Low |
| Pilot Light | 10s of minutes | Minutes | Medium |
| Warm Standby | Minutes | Seconds | High |
| Multi-Site Active/Active | ~0 | ~0 | Highest |
39. What is the serverless architecture pattern on AWS?
Client
→ CloudFront (CDN + edge cache)
→ API Gateway (REST or HTTP API)
→ Lambda (business logic)
→ DynamoDB / Aurora Serverless (database)
→ S3 (static assets, uploads)
→ SQS / SNS / EventBridge (async events)
→ Cognito (auth)
Benefits: no server management, pay per invocation, auto-scales to zero. Trade-offs: cold starts, 15-min execution limit, harder local development.
40. What is AWS CDK?
AWS Cloud Development Kit (CDK) lets you define AWS infrastructure in TypeScript, Python, Java, Go, or C# and synthesises it to CloudFormation templates.
import * as s3 from 'aws-cdk-lib/aws-s3';
const bucket = new s3.Bucket(this, 'MyBucket', {
versioned: true,
encryption: s3.BucketEncryption.S3_MANAGED,
removalPolicy: cdk.RemovalPolicy.RETAIN,
});
cdk synth # Generate CloudFormation template
cdk diff # Show what will change
cdk deploy # Deploy the stack
cdk destroy # Delete the stack
Additional Services
41. What is the difference between API Gateway REST API and HTTP API?
| Feature | REST API | HTTP API |
|---|---|---|
| Cost | Higher | ~70% cheaper |
| Latency | Higher | Lower |
| Features | More (usage plans, API keys, request validation, caching) | Less (auth, CORS, routes, throttling) |
| OIDC/JWT auth | Via Lambda authoriser | Native |
| WebSocket | No (use WebSocket API) | No |
| Best for | Full-featured APIs needing caching/API keys | Simple proxies to Lambda or HTTP backends |
42. What is AWS Step Functions?
Step Functions orchestrates multi-step workflows as state machines. Each state can invoke Lambda, Fargate, DynamoDB, SQS, SNS, Glue, and more.
[Start] → [Validate Input] → [Process Payment] → [Send Email] → [End]
↓ (on error)
[Handle Failure] → [End]
- Standard Workflows — durable, exactly-once, up to 1 year
- Express Workflows — high-volume, at-least-once, up to 5 minutes
- Visual debugger in the console
43. What is S3 Transfer Acceleration and when do you use it?
Transfer Acceleration routes uploads through CloudFront edge locations, then uses AWS's internal network backbone to reach the S3 bucket.
Use when:
- Users are geographically distant from the bucket's region
- Large file uploads (> 100 MB)
- High-throughput uploads across the internet
Enable with: aws s3api put-bucket-accelerate-configuration --bucket <name> --accelerate-configuration Status=Enabled
44. What is Amazon Cognito?
Cognito provides user identity and access management for web and mobile apps.
| Component | Function |
|---|---|
| User Pools | User directory: sign-up, sign-in, MFA, social IdP (Google, Apple), SAML federation |
| Identity Pools (Federated) | Exchange JWT from User Pool (or any IdP) for temporary AWS credentials to access AWS services directly |
Typical flow: User Pool issues JWT → API Gateway validates JWT (Cognito authoriser) → backend verifies claims.
45. What is Amazon CloudFront signed URLs vs signed cookies?
Both restrict access to private CloudFront content:
| Method | Use case |
|---|---|
| Signed URL | Access to a single specific file; RTMP distributions |
| Signed Cookie | Access to multiple files (e.g., subscriber accessing all content on a site) |
Generate using an RSA key pair associated with a CloudFront key group. Embed an expiry timestamp in the signature.
Troubleshooting & Best Practices
46. How do you debug a Lambda function that keeps timing out?
- Check CloudWatch Logs — look for the
Task timed out after X secondsmessage - Review the timeout setting — increase if tasks legitimately take longer
- Profile code — identify slow operations (DB queries, HTTP calls)
- Check VPC configuration — Lambda in a VPC needs a NAT Gateway to reach the internet or VPC endpoints for AWS services
- Connection pooling — initialise DB connections outside the handler (warm reuse)
- Downstream dependencies — add timeouts to all external HTTP/DB calls
- X-Ray tracing — identify which segment is slow
47. A CloudFormation stack update is stuck in UPDATE_IN_PROGRESS. What do you do?
- Wait — CloudFormation has built-in stabilisation checks; some resources take time
- Check resource events in the CF console (Events tab) for failure messages
- Common culprits: Auto Scaling group waiting for instances to pass health checks, RDS restart, Lambda function zip upload
- Cancel update — if safe — via
aws cloudformation cancel-update-stack - Stack rollback — on failure, CF rolls back automatically (check rollback events too)
- Stuck in rollback — you may need to skip specific resources with
--resources-to-skip
48. How do you reduce EC2 costs?
| Action | Potential saving |
|---|---|
| Right-size instances (use Compute Optimiser) | 20–40% |
| Switch to Graviton (ARM) instances | 20% |
| Use Reserved Instances or Savings Plans | Up to 72% |
| Use Spot for batch/CI | Up to 90% |
| Turn off dev/test instances nights + weekends | 65% |
| Delete unattached EBS volumes and snapshots | Varies |
| Use S3 Intelligent-Tiering | 40–68% on cold data |
49. What is the AWS Cost Explorer and how does tagging help?
Cost Explorer provides visualisations of AWS spending over time. Enable cost allocation tags to attribute spending:
Project: e-commerce
Environment: production
Team: backend
Owner: alice@example.com
After activating tags in the Billing Console, filter Cost Explorer by tag to see per-project or per-team costs. Use Budget Alerts to notify before spend exceeds threshold.
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| Using root account for daily work | Critical security risk | Create IAM user + enable root MFA |
| Hardcoding AWS credentials in code | Secret exposure | Use IAM roles (instance profile, execution role) |
| Opening Security Group to 0.0.0.0/0 on port 22 | SSH brute-force exposure | Use SSM Session Manager or VPN |
| Not enabling versioning on S3 buckets | Accidental data loss | Enable versioning + Object Lock |
| Single-AZ deployments | Single point of failure | Multi-AZ RDS, ASG across AZs |
| Ignoring cost alerts until the bill arrives | Budget overrun | Set Budgets with SNS alerts |
| Lambda without timeout set (default 3s) | Silent failures | Always set explicit timeout |
| Not tagging resources | Uncontrolled cost, hard to audit | Enforce tagging via SCPs or Config rules |
AWS vs Azure vs GCP
| Service | AWS | Azure | GCP |
|---|---|---|---|
| Compute | EC2, Lambda, ECS/EKS, Fargate | VMs, Functions, AKS, Container Apps | Compute Engine, Cloud Functions, GKE, Cloud Run |
| Storage | S3, EBS, EFS | Blob Storage, Managed Disks, Azure Files | GCS, Persistent Disk, Filestore |
| Database | RDS, DynamoDB, Aurora, Redshift | SQL DB, Cosmos DB, Synapse | Cloud SQL, Firestore, Spanner, BigQuery |
| Networking | VPC, ALB, CloudFront, Route 53 | VNet, Application Gateway, CDN, DNS | VPC, Cloud Load Balancing, Cloud CDN, Cloud DNS |
| IAM | IAM | Azure AD / Entra | Cloud IAM |
| Monitoring | CloudWatch, CloudTrail, X-Ray | Monitor, Activity Log, App Insights | Cloud Monitoring, Cloud Logging, Cloud Trace |
| IaC | CloudFormation, CDK | ARM / Bicep | Deployment Manager / Config Connector |
| Market share | ~31% | ~25% | ~11% |
FAQ
Q: Do I need AWS certifications to pass an AWS interview? Certifications demonstrate commitment and structured knowledge, but interviewers care more about practical experience. Know the why behind services, not just their names. Hands-on projects count more than exam scores.
Q: What is the difference between a public subnet and a private subnet?
A public subnet has a route to an Internet Gateway in its route table (0.0.0.0/0 → igw-xxx). Instances with public IPs are reachable from the internet. A private subnet has no such route; instances reach the internet only through a NAT Gateway (outbound only).
Q: When should I use SQS vs direct Lambda invocation? Direct invocation is synchronous and tightly coupled. SQS decouples the producer from the consumer, adds retry logic via redrive/DLQ, and buffers spikes. Use SQS when you want resilience to consumer failures, need to smooth traffic bursts, or need to retry failed messages.
Q: What is the difference between aws:SourceIp and VPC endpoint conditions in IAM?
aws:SourceIp restricts based on the caller's IP — but for traffic through VPC endpoints it becomes the VPC's IP range, not the instance's. Use aws:SourceVpce or aws:SourceVpc to restrict access to a specific VPC endpoint or VPC when resources are accessed via endpoints.
Q: How does S3 cross-region replication (CRR) work? CRR copies objects from a source bucket to a destination bucket in a different region asynchronously. Requirements: versioning enabled on both buckets, IAM role for S3 to replicate on your behalf, replication rule configuration. Replication typically completes within minutes. Does not replicate objects that existed before CRR was enabled (use S3 Batch Operations for backfill).
Q: What is the maximum size of a Lambda deployment package? 50 MB zipped (direct upload) or 250 MB unzipped via S3. For larger dependencies use Lambda Layers (share across functions) or deploy as a container image (up to 10 GB) from ECR. Lambda supports any base image as long as it implements the Lambda Runtime Interface Client (RIC).