Toolmingo
Guides26 min read

50 AWS Interview Questions (With Answers)

Top AWS interview questions with clear answers — covering IAM, EC2, S3, Lambda, VPC, RDS, DynamoDB, SQS/SNS, CloudFormation, and the Well-Architected Framework.

AWS interviews test your understanding of cloud fundamentals, core services, networking, security, and architecture patterns. This guide covers the 50 most common questions — with concise answers, comparisons, and real examples.

Quick reference

Topic Most asked questions
Core concepts Regions, AZs, edge locations, shared responsibility
IAM Users/roles/policies, least privilege, STS
Compute EC2 types, Lambda, ECS vs EKS, Auto Scaling
Storage S3 classes, EBS vs EFS, Glacier
Databases RDS vs DynamoDB, Aurora, ElastiCache
Networking VPC, Security Groups vs NACL, Route 53, CloudFront
Messaging SQS vs SNS vs EventBridge, Kinesis
Monitoring CloudWatch, CloudTrail, X-Ray
IaC CloudFormation, CDK, SAM
Architecture Well-Architected Framework, HA patterns

Core Concepts

1. What is the difference between an AWS Region, Availability Zone, and Edge Location?

Concept Definition Example
Region Independent geographic area containing multiple AZs us-east-1 (N. Virginia)
Availability Zone (AZ) One or more discrete data centres within a Region with independent power/cooling/networking us-east-1a, us-east-1b
Edge Location AWS PoP used by CloudFront and Route 53 for low-latency delivery 400+ worldwide
Local Zone Extension of a Region placing compute closer to end users us-east-1-bos-1 (Boston)
Wavelength Zone AZ embedded in telecom networks for ultra-low latency 5G apps Verizon, Vodafone

Design for multi-AZ by default; consider multi-Region only for disaster recovery or global low latency.

2. What is the AWS Shared Responsibility Model?

AWS divides security responsibilities between the provider and the customer:

Layer AWS Responsible For Customer Responsible For
Physical Data centres, hardware, networking
Hypervisor / Host OS EC2 host patching
Guest OS Patching Windows/Linux on EC2
Application Application code, data, configuration
Network controls VPC infrastructure Security Groups, NACLs, firewalls
Data Encryption, access control, backups
Identity IAM service IAM users, roles, policies

"Security of the cloud" = AWS. "Security in the cloud" = customer.

3. What are the main AWS Global Infrastructure components?

  • 33 Regions (2024), each with ≥3 AZs
  • 105 AZs across all regions
  • 400+ Edge Locations for CloudFront
  • AWS Outposts — AWS hardware in your on-premises data centre
  • AWS Local Zones — single-digit ms latency for target metro areas
  • AWS Wavelength — embedded in 5G carrier networks

IAM

4. What are the differences between IAM Users, Groups, Roles, and Policies?

Concept Description Use case
User Long-term identity for a person or service Human with console/CLI access
Group Collection of users sharing the same policies "Developers" group with S3 read
Role Temporary identity assumed by services or users EC2 reading S3, cross-account access
Policy JSON document defining Allow/Deny permissions Attached to users, groups, or roles
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

5. What is the principle of least privilege in IAM?

Grant only the minimum permissions required to perform a task:

  • Start with no permissions and add incrementally
  • Use IAM Access Analyzer to identify unused permissions
  • Use service control policies (SCPs) in AWS Organizations for guardrails
  • Prefer roles over long-term access keys
  • Enable MFA for all human users, especially root
  • Rotate access keys regularly; use aws iam generate-credential-report

6. What is AWS STS and when do you use it?

AWS Security Token Service (STS) issues temporary, limited-privilege credentials.

Common use cases:

Scenario STS API
EC2 assuming a role AssumeRole (automatic via instance profile)
Cross-account access AssumeRole with role ARN in another account
Federated users (SAML/OIDC) AssumeRoleWithSAML / AssumeRoleWithWebIdentity
Multi-factor auth GetSessionToken

Temporary credentials expire (15 min–36 h) and do not need to be rotated manually.

7. What is the difference between an identity-based policy and a resource-based policy?

Type Attached to Example
Identity-based IAM user, group, or role Allow user to write to S3
Resource-based Resource itself (S3 bucket, SQS queue, Lambda) Allow another account to read from your S3 bucket

Resource-based policies enable cross-account access without assuming a role. Both policies must allow the action for cross-account access to succeed.


Compute

8. What are the EC2 instance purchasing options?

Option Commitment Savings vs On-Demand Best for
On-Demand None Baseline Unpredictable workloads
Reserved (1 or 3 yr) 1–3 years Up to 72% Steady-state production
Savings Plans 1–3 years ($/hour commit) Up to 66% Flexible compute (EC2 + Lambda + Fargate)
Spot None Up to 90% Fault-tolerant, batch, CI/CD
Dedicated Host Optional Varies Licensing (Windows/Oracle), compliance
Dedicated Instance None Small Tenancy isolation

9. What is the difference between vertical and horizontal scaling on EC2?

Type How AWS mechanism Downtime?
Vertical (scale up) Larger instance type Stop → change type → start Brief (minutes)
Horizontal (scale out) More instances Auto Scaling Group + Load Balancer Zero downtime

Horizontal scaling is preferred for availability and cost efficiency. Use Auto Scaling Groups with min/desired/max counts and scaling policies (Target Tracking, Step, Scheduled).

10. What is AWS Lambda and when should you not use it?

Lambda runs code in response to events without managing servers. Billed per invocation and execution duration (1ms granularity).

Limitations that make Lambda a poor fit:

  • Execution timeout: max 15 minutes (use ECS/Fargate for longer tasks)
  • Cold starts add latency (mitigate with Provisioned Concurrency)
  • Package size: 50 MB zipped / 250 MB unzipped (use Lambda Layers or container images up to 10 GB)
  • Memory: up to 10 GB (CPU scales proportionally)
  • Stateless by design (use DynamoDB, ElastiCache, or EFS for state)
  • Not ideal for high-throughput streaming (use Kinesis + Lambda carefully)

11. What is the difference between ECS and EKS?

Aspect ECS EKS
Orchestrator AWS-native (proprietary) Kubernetes (open standard)
Learning curve Lower Higher (K8s knowledge needed)
Launch types EC2 and Fargate EC2, Fargate, and Outposts
Ecosystem AWS-only Portable (any K8s cluster)
Operational overhead Less More (control plane managed by AWS, but more config)
Cost Task-level billing (Fargate) EKS cluster: $0.10/hour + nodes
Best for Teams fully invested in AWS Multi-cloud, K8s-native tooling

Both support Fargate (serverless compute — no EC2 node management).

12. How does Auto Scaling work?

Auto Scaling adjusts the number of EC2 instances (or other resources) based on demand:

                 ┌──────────────────────────────┐
                 │     Auto Scaling Group       │
  Traffic ──────►│  min=2  desired=4  max=10    │
                 │  ┌──┐ ┌──┐ ┌──┐ ┌──┐       │
                 │  │  │ │  │ │  │ │  │       │
                 └──┴──┴─┴──┴─┴──┴─┴──┴───────┘
                       │
              Health check via ALB

Scaling policies:

  • Target Tracking — maintain a metric at a target (e.g., CPU = 50%). Recommended.
  • Step Scaling — add/remove based on CloudWatch alarm thresholds
  • Scheduled — pre-warm for known traffic spikes
  • Predictive — ML-based future demand forecasting

Storage

13. What are the S3 storage classes and when do you use each?

Storage Class Access Retrieval Min Duration Use case
Standard Frequent Instant None Active data, websites
Intelligent-Tiering Unknown Instant None Unpredictable access patterns
Standard-IA Infrequent Instant 30 days Backups, DR
One Zone-IA Infrequent Instant 30 days Reproducible data (no multi-AZ)
Glacier Instant Archival Instant 90 days Archives accessed occasionally
Glacier Flexible Archival 1–12 hours 90 days Long-term backups
Glacier Deep Archive Archival ≤48 hours 180 days Regulatory 7–10 yr retention

Use S3 Lifecycle Rules to automatically transition objects between classes.

14. What is the difference between EBS, EFS, and S3?

Feature EBS EFS S3
Type Block storage Network file system (NFS) Object storage
Access Single EC2 (Multi-Attach with io2) Multiple EC2 simultaneously HTTP API from anywhere
Latency Sub-ms (attached) Low ms 10–100ms
Sizing Fixed (provision in advance) Elastic (auto-grows) Virtually unlimited
Durability 99.8–99.999% (within AZ or replicated) 99.999999999% (multi-AZ) 99.999999999%
Use case OS disk, database, transactional Shared config, CMS, Lambda /tmp Backups, static assets, data lake

15. What is S3 versioning and how does it relate to S3 Object Lock?

Versioning keeps multiple variants of an object. Deleted objects get a delete marker instead of being removed, allowing recovery.

Object Lock adds immutability on top of versioning:

Mode Behavior
Governance Users with special IAM permission can overwrite/delete
Compliance No one — including root — can delete until retention period expires
Legal Hold No expiry; lasts until explicitly removed

Required for WORM (write once, read many) regulatory requirements.


Databases

16. What is the difference between RDS and DynamoDB?

Feature RDS DynamoDB
Type Relational (SQL) NoSQL (key-value + document)
Schema Fixed schema Schema-less
Scaling Vertical (+ read replicas) Horizontal (auto, serverless option)
Transactions Full ACID Supported (ACID, limited)
Query Flexible SQL Primary key / GSI only
Latency 1–10ms Single-digit ms at scale
Management Managed, but choose instance size Fully serverless option
Best for Complex queries, joins, reporting High-scale, simple access patterns

17. What is Amazon Aurora and how does it differ from RDS MySQL?

Aurora is an AWS-built relational DB engine compatible with MySQL and PostgreSQL.

Feature RDS MySQL Aurora MySQL
Storage Attached EBS Distributed cluster volume
Replication Async (replica lag) Async but shared storage (near-instant replica)
Read replicas Up to 5 Up to 15
Failover 60–120 seconds Typically <30 seconds
Storage Manual provision / storage autoscaling Auto-grows in 10 GB increments up to 128 TiB
Performance 1× MySQL Up to 5× MySQL
Cost Lower Higher (typically 20% more)

Aurora Serverless v2 scales capacity in fine-grained increments (0.5 ACU steps) — great for variable workloads.

18. What is ElastiCache and when do you use Redis vs Memcached?

ElastiCache is a managed in-memory caching service.

Feature Redis Memcached
Data types Strings, hashes, lists, sets, sorted sets, streams Strings only
Persistence Snapshots (RDB) + AOF None
Replication Yes (multi-AZ) No
Cluster mode Yes (sharding) Yes (multi-threaded)
Pub/Sub Yes No
Geospatial Yes No
TTL Yes Yes
Best for Sessions, leaderboards, pub/sub, rate limiting Simple caching, multi-threaded scale

Use Redis in almost all new projects. Memcached has slightly better raw cache throughput with multiple CPU cores.

19. What are DynamoDB Global Secondary Indexes (GSIs)?

A GSI lets you query DynamoDB on attributes other than the primary key.

Table primary key: userId (partition) + createdAt (sort)

GSI: email (partition key) → query by email without scan
  • Up to 20 GSIs per table
  • GSI has its own provisioned throughput (separate from the base table)
  • Eventually consistent reads only
  • Data is automatically projected/replicated to the GSI
  • Local Secondary Index (LSI) — same partition key, different sort key; must be defined at table creation; strongly consistent reads allowed

Networking

20. What is a VPC and what are its key components?

A Virtual Private Cloud (VPC) is a logically isolated network in AWS.

Component Purpose
CIDR block IP address range (e.g., 10.0.0.0/16)
Subnet Sub-range of VPC CIDR in a specific AZ
Internet Gateway (IGW) Enables internet access for public subnets
NAT Gateway Allows private subnet instances to reach the internet (outbound only)
Route Table Rules for directing traffic
Security Group Stateful firewall at the instance/ENI level
NACL Stateless firewall at the subnet level
VPC Peering Private connection between two VPCs
Transit Gateway Hub-and-spoke for connecting many VPCs and on-premises
VPC Endpoint Private connection to AWS services without internet

21. What is the difference between Security Groups and NACLs?

Feature Security Group NACL
Stateful Yes (response traffic automatically allowed) No (must explicitly allow inbound AND outbound)
Applied to ENI (instance level) Subnet (affects all instances)
Rule types Allow only Allow and Deny
Rule evaluation All rules evaluated Rules evaluated in number order (first match wins)
Default Deny all inbound, allow all outbound Allow all in/out
Use case Per-instance firewall Subnet-level guardrails (block specific IPs)

22. What are the types of AWS load balancers and when do you use each?

Load Balancer Layer Protocols Best for
Application LB (ALB) 7 (HTTP) HTTP, HTTPS, WebSocket Web apps, path/host-based routing, microservices
Network LB (NLB) 4 (Transport) TCP, UDP, TLS Ultra-low latency, static IP, TCP passthrough
Gateway LB (GWLB) 3 (Network) GENEVE Inline security appliances (firewalls, IDS)
Classic LB (CLB) 4 and 7 HTTP, HTTPS, TCP Legacy — avoid for new projects

ALB supports target groups (EC2, Lambda, IP, containers), sticky sessions, weighted routing, and AWS WAF integration.

23. How does Route 53 routing work?

Route 53 is AWS's authoritative DNS service with health checking and traffic policies:

Routing Policy Behaviour
Simple One or more IPs returned randomly
Failover Primary → secondary if health check fails
Geolocation Route based on user's geographic location
Geoproximity Route based on distance (with bias adjustment)
Latency Route to lowest-latency AWS region
Weighted Split traffic by percentage (A/B testing, canary)
Multivalue Return up to 8 healthy IPs (simple load balancing)
IP-based Route based on CIDR blocks

24. What is CloudFront and what problems does it solve?

CloudFront is AWS's CDN. It caches content at edge locations close to users.

Benefits:

  • Reduced latency — serve from nearest PoP
  • Offload origin — cache reduces requests to S3/ALB/EC2
  • DDoS protection — AWS Shield Standard included free
  • HTTPS everywhere — TLS termination at the edge
  • Lambda@Edge / CloudFront Functions — run code at edge for A/B testing, auth, redirects

Cache behaviour: objects cached based on Cache-Control headers. Invalidate with /path/* patterns ($0.005 per path after first 1,000/month).


Messaging & Events

25. What is the difference between SQS, SNS, and EventBridge?

Service Pattern Delivery Retention Best for
SQS Queue (point-to-point) Pull Up to 14 days Decoupled work queues, async processing
SNS Pub/Sub (fan-out) Push None Notify multiple subscribers (email, SMS, SQS, Lambda)
EventBridge Event bus Push 24 hours (archives configurable) Event-driven architecture, SaaS integration, scheduled rules

Fan-out pattern: SNS → multiple SQS queues (each subscriber gets a copy).

26. What is SQS visibility timeout and how does it prevent duplicate processing?

When a consumer reads a message, SQS hides it from other consumers for the visibility timeout (default 30s, max 12h).

Consumer A reads message → message hidden for 30s
  If A processes and deletes → message gone ✓
  If A crashes → timeout expires → message re-appears for retry
  • Set visibility timeout > your longest expected processing time
  • Use dead-letter queues (DLQ) for messages that fail repeatedly (configure maxReceiveCount)
  • SQS FIFO queues provide exactly-once processing using deduplication IDs

27. What is Amazon Kinesis and when do you use it instead of SQS?

Feature Kinesis Data Streams SQS
Model Ordered, partitioned stream Unordered queue
Consumers Multiple (fan-out, each reads independently) One consumer per message
Retention 1–365 days (replay) Up to 14 days
Throughput 1 MB/s or 1,000 records/s per shard Auto-scales
Latency ~200ms Short poll: immediate; Long poll: up to 20s
Best for Real-time analytics, clickstream, log ingestion Task queues, decoupling

Use Kinesis when you need ordering, replay, or multiple independent consumers of the same stream.


Monitoring & Observability

28. What is the difference between CloudWatch and CloudTrail?

Service What it records Use case
CloudWatch Metrics, logs, alarms, dashboards, events Application and infrastructure monitoring
CloudTrail API calls made to AWS services (who did what when) Auditing, compliance, security investigation

CloudWatch Logs Insights lets you query log groups with a SQL-like syntax. CloudTrail logs go to S3 or CloudWatch Logs.

29. What are CloudWatch Alarms and how do they work?

Alarms monitor a single metric and transition between states:

OK → ALARM → OK / INSUFFICIENT_DATA

Actions on ALARM:

  • Send SNS notification → email, SMS, Lambda
  • Trigger Auto Scaling (scale out/in)
  • EC2 action (stop, terminate, reboot)

Composite alarms combine multiple alarms with AND/OR logic to reduce alert noise.

30. What is AWS X-Ray?

X-Ray is AWS's distributed tracing service. It:

  • Traces requests as they travel across services (Lambda → API Gateway → DynamoDB)
  • Generates a service map showing dependencies and latency
  • Identifies bottlenecks and error rates per segment
  • Groups traces by annotation for filtering

Use X-Ray SDK in your application code and enable active tracing on Lambda / API Gateway.


Security

31. What is AWS KMS and how does encryption work?

AWS Key Management Service (KMS) manages encryption keys.

CMK (Customer Managed Key)
  → KMS generates a Data Encryption Key (DEK)
  → DEK encrypts your data (envelope encryption)
  → Encrypted DEK stored alongside ciphertext
  → KMS decrypts DEK on demand (DEK never stored in plaintext)
Key type Who manages key material Use case
AWS Managed Keys AWS Default (e.g., aws/s3) — no cost, less control
Customer Managed Keys (CMK) Customer $1/month, full rotation and policy control
Customer-provided (BYOK) Customer Own HSM, imported into KMS

Enable automatic key rotation (annually) for CMKs.

32. What is the difference between WAF, Shield, and GuardDuty?

Service Protects Against Layer
WAF SQL injection, XSS, bad bots, IP blocking L7 (HTTP)
Shield Standard Basic DDoS (volumetric, SYN floods) L3/4 (auto, free)
Shield Advanced Sophisticated DDoS + cost protection + 24/7 DRT L3/4/7
GuardDuty Threat detection: anomalous API calls, crypto-mining, compromised credentials Control plane
Macie Discovers and protects sensitive data in S3 (PII, credentials) Data level
Security Hub Aggregates findings from GuardDuty, Inspector, Macie, etc. Aggregator

33. How do you securely pass secrets to a Lambda function or EC2 instance?

Never hardcode secrets. Preferred approaches:

  1. AWS Secrets Manager — store database passwords, API keys. Automatic rotation support. Access via SDK in code.
  2. AWS SSM Parameter Store (SecureString) — cheaper, good for config and non-rotating secrets.
  3. Environment variables encrypted with KMS — for Lambda, less recommended for sensitive values.
  4. IAM roles — for AWS API credentials, never use access keys; use instance profiles or execution roles.
import boto3, json

def get_secret(name):
    client = boto3.client('secretsmanager')
    return json.loads(client.get_secret_value(SecretId=name)['SecretString'])

Infrastructure as Code

34. What is CloudFormation and what are its key concepts?

CloudFormation provisions AWS resources from declarative templates (YAML or JSON).

Concept Description
Template YAML/JSON file describing resources
Stack Deployed instance of a template
Change Set Preview of changes before applying
Drift detection Identifies manual changes to stack resources
Nested stacks Reusable sub-templates via AWS::CloudFormation::Stack
Stack sets Deploy stacks across multiple accounts/regions
Parameter Input value passed at deploy time
Output Values exported from a stack (cross-stack references)
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-data"
      VersioningConfiguration:
        Status: Enabled

35. What is the difference between CloudFormation and Terraform?

Feature CloudFormation Terraform
Provider AWS only Multi-cloud (AWS, GCP, Azure, Kubernetes…)
Language YAML / JSON HCL (HashiCorp Configuration Language)
State Managed by AWS Local or remote (Terraform Cloud, S3)
Drift detection Built-in terraform plan shows drift
CDK support AWS CDK (generates CF) CDK for Terraform (CDKtf)
Rollback Automatic on failure Manual or with -auto-approve flags
Community AWS-native Largest IaC community
Cost Free Open source free; Cloud/Enterprise paid

Use CloudFormation if you're AWS-only. Use Terraform for multi-cloud or when your team prefers HCL and the Terraform ecosystem.


Architecture Patterns

36. What are the five pillars of the AWS Well-Architected Framework?

Pillar Focus
Operational Excellence Run and monitor systems, improve processes
Security Protect data, systems, and assets
Reliability Recover from failures, meet demand dynamically
Performance Efficiency Use computing resources efficiently
Cost Optimisation Avoid unnecessary costs

A sixth pillar was added in 2022: Sustainability — minimise environmental impact.

Use the Well-Architected Tool (free in the console) to review workloads against these pillars.

37. How do you design a highly available architecture on AWS?

Key principles:

  1. Multi-AZ — deploy across ≥2 AZs for all stateful components (RDS Multi-AZ, ELB, ASG)
  2. Loose coupling — use SQS/SNS between services to isolate failures
  3. Stateless compute — store session state in ElastiCache or DynamoDB, not in-process
  4. Health checks — ALB, Auto Scaling, Route 53 failover routing
  5. Circuit breaker — implement in code or use App Mesh / service mesh
  6. Backups + DR — RDS automated backups, S3 versioning, cross-region replication for critical data
  7. Chaos engineering — test failure modes with AWS Fault Injection Simulator

38. What is the difference between RTO and RPO?

Metric Stands for Meaning Goal
RTO Recovery Time Objective Max acceptable downtime after a failure Lower = higher cost
RPO Recovery Point Objective Max acceptable data loss (time) Lower = more frequent backups
DR Strategy RTO RPO Cost
Backup & Restore Hours Hours Low
Pilot Light 10s of minutes Minutes Medium
Warm Standby Minutes Seconds High
Multi-Site Active/Active ~0 ~0 Highest

39. What is the serverless architecture pattern on AWS?

Client
  → CloudFront (CDN + edge cache)
  → API Gateway (REST or HTTP API)
  → Lambda (business logic)
  → DynamoDB / Aurora Serverless (database)
  → S3 (static assets, uploads)
  → SQS / SNS / EventBridge (async events)
  → Cognito (auth)

Benefits: no server management, pay per invocation, auto-scales to zero. Trade-offs: cold starts, 15-min execution limit, harder local development.

40. What is AWS CDK?

AWS Cloud Development Kit (CDK) lets you define AWS infrastructure in TypeScript, Python, Java, Go, or C# and synthesises it to CloudFormation templates.

import * as s3 from 'aws-cdk-lib/aws-s3';

const bucket = new s3.Bucket(this, 'MyBucket', {
  versioned: true,
  encryption: s3.BucketEncryption.S3_MANAGED,
  removalPolicy: cdk.RemovalPolicy.RETAIN,
});
cdk synth      # Generate CloudFormation template
cdk diff       # Show what will change
cdk deploy     # Deploy the stack
cdk destroy    # Delete the stack

Additional Services

41. What is the difference between API Gateway REST API and HTTP API?

Feature REST API HTTP API
Cost Higher ~70% cheaper
Latency Higher Lower
Features More (usage plans, API keys, request validation, caching) Less (auth, CORS, routes, throttling)
OIDC/JWT auth Via Lambda authoriser Native
WebSocket No (use WebSocket API) No
Best for Full-featured APIs needing caching/API keys Simple proxies to Lambda or HTTP backends

42. What is AWS Step Functions?

Step Functions orchestrates multi-step workflows as state machines. Each state can invoke Lambda, Fargate, DynamoDB, SQS, SNS, Glue, and more.

[Start] → [Validate Input] → [Process Payment] → [Send Email] → [End]
                               ↓ (on error)
                        [Handle Failure] → [End]
  • Standard Workflows — durable, exactly-once, up to 1 year
  • Express Workflows — high-volume, at-least-once, up to 5 minutes
  • Visual debugger in the console

43. What is S3 Transfer Acceleration and when do you use it?

Transfer Acceleration routes uploads through CloudFront edge locations, then uses AWS's internal network backbone to reach the S3 bucket.

Use when:

  • Users are geographically distant from the bucket's region
  • Large file uploads (> 100 MB)
  • High-throughput uploads across the internet

Enable with: aws s3api put-bucket-accelerate-configuration --bucket <name> --accelerate-configuration Status=Enabled

44. What is Amazon Cognito?

Cognito provides user identity and access management for web and mobile apps.

Component Function
User Pools User directory: sign-up, sign-in, MFA, social IdP (Google, Apple), SAML federation
Identity Pools (Federated) Exchange JWT from User Pool (or any IdP) for temporary AWS credentials to access AWS services directly

Typical flow: User Pool issues JWT → API Gateway validates JWT (Cognito authoriser) → backend verifies claims.

45. What is Amazon CloudFront signed URLs vs signed cookies?

Both restrict access to private CloudFront content:

Method Use case
Signed URL Access to a single specific file; RTMP distributions
Signed Cookie Access to multiple files (e.g., subscriber accessing all content on a site)

Generate using an RSA key pair associated with a CloudFront key group. Embed an expiry timestamp in the signature.


Troubleshooting & Best Practices

46. How do you debug a Lambda function that keeps timing out?

  1. Check CloudWatch Logs — look for the Task timed out after X seconds message
  2. Review the timeout setting — increase if tasks legitimately take longer
  3. Profile code — identify slow operations (DB queries, HTTP calls)
  4. Check VPC configuration — Lambda in a VPC needs a NAT Gateway to reach the internet or VPC endpoints for AWS services
  5. Connection pooling — initialise DB connections outside the handler (warm reuse)
  6. Downstream dependencies — add timeouts to all external HTTP/DB calls
  7. X-Ray tracing — identify which segment is slow

47. A CloudFormation stack update is stuck in UPDATE_IN_PROGRESS. What do you do?

  1. Wait — CloudFormation has built-in stabilisation checks; some resources take time
  2. Check resource events in the CF console (Events tab) for failure messages
  3. Common culprits: Auto Scaling group waiting for instances to pass health checks, RDS restart, Lambda function zip upload
  4. Cancel update — if safe — via aws cloudformation cancel-update-stack
  5. Stack rollback — on failure, CF rolls back automatically (check rollback events too)
  6. Stuck in rollback — you may need to skip specific resources with --resources-to-skip

48. How do you reduce EC2 costs?

Action Potential saving
Right-size instances (use Compute Optimiser) 20–40%
Switch to Graviton (ARM) instances 20%
Use Reserved Instances or Savings Plans Up to 72%
Use Spot for batch/CI Up to 90%
Turn off dev/test instances nights + weekends 65%
Delete unattached EBS volumes and snapshots Varies
Use S3 Intelligent-Tiering 40–68% on cold data

49. What is the AWS Cost Explorer and how does tagging help?

Cost Explorer provides visualisations of AWS spending over time. Enable cost allocation tags to attribute spending:

Project: e-commerce
Environment: production
Team: backend
Owner: alice@example.com

After activating tags in the Billing Console, filter Cost Explorer by tag to see per-project or per-team costs. Use Budget Alerts to notify before spend exceeds threshold.


Common Mistakes

Mistake Impact Fix
Using root account for daily work Critical security risk Create IAM user + enable root MFA
Hardcoding AWS credentials in code Secret exposure Use IAM roles (instance profile, execution role)
Opening Security Group to 0.0.0.0/0 on port 22 SSH brute-force exposure Use SSM Session Manager or VPN
Not enabling versioning on S3 buckets Accidental data loss Enable versioning + Object Lock
Single-AZ deployments Single point of failure Multi-AZ RDS, ASG across AZs
Ignoring cost alerts until the bill arrives Budget overrun Set Budgets with SNS alerts
Lambda without timeout set (default 3s) Silent failures Always set explicit timeout
Not tagging resources Uncontrolled cost, hard to audit Enforce tagging via SCPs or Config rules

AWS vs Azure vs GCP

Service AWS Azure GCP
Compute EC2, Lambda, ECS/EKS, Fargate VMs, Functions, AKS, Container Apps Compute Engine, Cloud Functions, GKE, Cloud Run
Storage S3, EBS, EFS Blob Storage, Managed Disks, Azure Files GCS, Persistent Disk, Filestore
Database RDS, DynamoDB, Aurora, Redshift SQL DB, Cosmos DB, Synapse Cloud SQL, Firestore, Spanner, BigQuery
Networking VPC, ALB, CloudFront, Route 53 VNet, Application Gateway, CDN, DNS VPC, Cloud Load Balancing, Cloud CDN, Cloud DNS
IAM IAM Azure AD / Entra Cloud IAM
Monitoring CloudWatch, CloudTrail, X-Ray Monitor, Activity Log, App Insights Cloud Monitoring, Cloud Logging, Cloud Trace
IaC CloudFormation, CDK ARM / Bicep Deployment Manager / Config Connector
Market share ~31% ~25% ~11%

FAQ

Q: Do I need AWS certifications to pass an AWS interview? Certifications demonstrate commitment and structured knowledge, but interviewers care more about practical experience. Know the why behind services, not just their names. Hands-on projects count more than exam scores.

Q: What is the difference between a public subnet and a private subnet? A public subnet has a route to an Internet Gateway in its route table (0.0.0.0/0 → igw-xxx). Instances with public IPs are reachable from the internet. A private subnet has no such route; instances reach the internet only through a NAT Gateway (outbound only).

Q: When should I use SQS vs direct Lambda invocation? Direct invocation is synchronous and tightly coupled. SQS decouples the producer from the consumer, adds retry logic via redrive/DLQ, and buffers spikes. Use SQS when you want resilience to consumer failures, need to smooth traffic bursts, or need to retry failed messages.

Q: What is the difference between aws:SourceIp and VPC endpoint conditions in IAM? aws:SourceIp restricts based on the caller's IP — but for traffic through VPC endpoints it becomes the VPC's IP range, not the instance's. Use aws:SourceVpce or aws:SourceVpc to restrict access to a specific VPC endpoint or VPC when resources are accessed via endpoints.

Q: How does S3 cross-region replication (CRR) work? CRR copies objects from a source bucket to a destination bucket in a different region asynchronously. Requirements: versioning enabled on both buckets, IAM role for S3 to replicate on your behalf, replication rule configuration. Replication typically completes within minutes. Does not replicate objects that existed before CRR was enabled (use S3 Batch Operations for backfill).

Q: What is the maximum size of a Lambda deployment package? 50 MB zipped (direct upload) or 250 MB unzipped via S3. For larger dependencies use Lambda Layers (share across functions) or deploy as a container image (up to 10 GB) from ECR. Lambda supports any base image as long as it implements the Lambda Runtime Interface Client (RIC).

Keep reading

All Toolmingotools are free & run in your browser

No sign-up, no upload, no watermark. Your files never leave your device.

Browse all tools