AWS Interview Question and Answers

What is AWS?
  • AWS (Amazon Web Services) is a comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. It provides a wide range of services including compute, storage, databases, networking, analytics, machine learning, AI, IoT, mobile, security, hybrid, virtual and augmented reality, media, and application development, deployment, and management.
What are the key benefits of using AWS?
  • Cost-Effective: Pay-as-you-go pricing, no upfront costs, economies of scale.
  • Scalability & Elasticity: Easily scale resources up or down based on demand.
  • Reliability: Global infrastructure with multiple Availability Zones.
  • Performance: High-speed, low-latency infrastructure.
  • Security: Robust security features and compliance certifications.
  • Global Presence: Deploy applications in multiple regions around the world.
  • Innovation: Access to a wide range of cutting-edge services.
Explain the AWS Shared Responsibility Model.
  • The Shared Responsibility Model defines what AWS is responsible for and what the customer is responsible for regarding security.
  • AWS is responsible for "Security OF the Cloud": This includes the underlying infrastructure (hardware, software, networking, facilities) that runs AWS services.
  • Customer is responsible for "Security IN the Cloud": This includes security of their data, operating systems, platforms, applications, access control, and network configuration.
What are AWS Regions and Availability Zones?
  • Regions: A geographical area where AWS has multiple data centers. Each region is isolated and independent.
  • Availability Zones (AZs): Discrete data centers within a Region. AZs are physically separated but interconnected with low-latency, high-bandwidth networking. Deploying resources across multiple AZs provides high availability and fault tolerance.
What is Amazon EC2?
  • Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the cloud. It allows you to launch virtual servers (instances) with various configurations (instance types) to run your applications.
What are different EC2 Instance Types?
  • EC2 Instance Types are categorized into families optimized for different use cases, such as:
    • General Purpose: (e.g., t, m instances) - Balance of compute, memory, and networking.
    • Compute Optimized: (e.g., c instances) - High-performance processors.
    • Memory Optimized: (e.g., r, x instances) - High memory-to-CPU ratio.
    • Accelerated Computing: (e.g., p, g instances) - Hardware accelerators (GPUs, FPGAs).
    • Storage Optimized: (e.g., i, d instances) - High disk I/O performance.
What is an AMI in EC2?
  • An Amazon Machine Image (AMI) is a template that contains the software configuration needed to launch an EC2 instance. It includes the operating system, application server, and applications. You can use AMIs provided by AWS, the AWS community, the AWS Marketplace, or create your own custom AMIs.
Explain EC2 Security Groups.
  • Security Groups act as a virtual firewall for your EC2 instances to control inbound and outbound traffic. They operate at the instance level and are stateful (if you allow inbound traffic, the outbound return traffic is automatically allowed). You define rules based on protocol, port range, and source/destination IP addresses or other Security Groups.
What is the difference between Security Groups and Network Access Control Lists (NACLs)?
  • Security Groups:
    • Operate at the instance level.
    • Stateful.
    • Allow rules only.
    • Evaluate all rules before deciding whether to allow traffic.
  • NACLs:
    • Operate at the subnet level.
    • Stateless (inbound and outbound rules must be explicitly defined).
    • Allow and deny rules.
    • Evaluate rules in order based on rule number.
What are the different ways to connect to an EC2 Instance?
  • SSH: For Linux/Unix instances, using a key pair.
  • RDP: For Windows instances, using a password (generated from the key pair).
  • AWS Systems Manager Session Manager: Provides secure, browser-based or CLI access without needing SSH keys or opening inbound ports on the security group.
What is Amazon S3?
  • Amazon Simple Storage Service (S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. It's used for storing and retrieving any amount of data from anywhere on the web.
What are S3 Buckets and Objects?
  • Bucket: A container for objects stored in S3. Buckets have globally unique names.
  • Object: The fundamental entity stored in S3. An object consists of data, metadata (key-value pairs), and a version ID.
Explain different S3 Storage Classes.
  • S3 offers various storage classes optimized for different access patterns:
    • S3 Standard: General-purpose, frequently accessed data, low latency.
    • S3 Intelligent-Tiering: Automatically moves data between two access tiers based on access patterns.
    • S3 Standard-Infrequent Access (S3 Standard-IA): Data accessed less frequently but requires rapid access when needed.
    • S3 One Zone-Infrequent Access (S3 One Zone-IA): Same as Standard-IA but stores data in a single AZ (lower cost, less durability).
    • Amazon S3 Glacier: Long-term archival storage for data accessed infrequently.
    • Amazon S3 Glacier Deep Archive: Lowest-cost storage class for long-term archival, retrieved within 12 hours.
How do you ensure data security in S3?
  • Encryption: Server-side encryption (SSE-S3, SSE-KMS, SSE-C) and client-side encryption.
  • Access Control: Bucket Policies, Access Control Lists (ACLs), IAM Policies.
  • Versioning: Protects against accidental deletions and overwrites.
  • MFA Delete: Requires MFA to permanently delete objects.
  • Logging: S3 access logs and CloudTrail logs.
What is Amazon RDS?
  • Amazon Relational Database Service (RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It manages tasks like patching, backups, and scaling.
Which database engines are supported by Amazon RDS?
  • Amazon Aurora (AWS proprietary)
  • PostgreSQL
  • MySQL
  • MariaDB
  • Oracle
  • SQL Server
Explain RDS Multi-AZ deployments.
  • Multi-AZ deployments provide high availability and durability for RDS instances. AWS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In case of an infrastructure failure, RDS automatically fails over to the standby replica.
Explain RDS Read Replicas.
  • Read Replicas are asynchronous copies of an RDS database instance. They are used to scale out read-heavy database workloads. You can create up to 15 Read Replicas.
What is Amazon DynamoDB?
  • Amazon DynamoDB is a fast and flexible NoSQL database service for all application workloads. It's a fully managed, serverless key-value and document database that delivers single-digit millisecond performance at any scale.
What is the difference between RDS and DynamoDB?
  • RDS: Relational database (SQL), structured data, fixed schema, best for complex queries and transactions.
  • DynamoDB: NoSQL database, unstructured or semi-structured data, flexible schema, best for high-performance, key-value, and document workloads at scale.
What is Amazon VPC?
  • Amazon Virtual Private Cloud (VPC) is a service that lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment.
Explain Public and Private Subnets within a VPC.
  • Public Subnet: A subnet whose instances can send and receive traffic from the internet through an Internet Gateway.
  • Private Subnet: A subnet whose instances do not have direct internet access. They can access the internet via a NAT Gateway or NAT Instance in a public subnet.
What is an Internet Gateway (IGW)?
  • An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It's a logical connection, not a physical device.
What is a NAT Gateway?
  • A NAT (Network Address Translation) Gateway allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. NAT Gateways are managed by AWS and are highly available.
What is a Route Table in VPC?
  • A Route Table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. Each subnet in a VPC must be associated with a route table.
What is Amazon Route 53?
  • Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It translates human-readable domain names (like example.com) into machine-readable IP addresses.
Explain different Routing Policies in Route 53.
  • Simple: Returns one or more IP addresses randomly.
  • Weighted: Routes traffic to multiple resources based on assigned weights.
  • Latency: Routes traffic to the region that provides the lowest latency for the user.
  • Geolocation: Routes traffic based on the user's geographic location.
  • Geoproximity: Routes traffic based on the geographic location of users and resources, with the option to bias traffic.
  • Failover: Routes traffic to a primary resource when it's healthy and to a secondary resource when the primary is unhealthy.
  • Multivalue Answer: Returns up to 8 healthy records, providing multiple IP addresses for a domain.
What is Amazon CloudFront?
  • Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. It caches content at Edge Locations closer to users.
What is AWS IAM?
  • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to manage who is authenticated (signed in) and authorized (has permissions) to use resources.
Explain IAM Users, Groups, Roles, and Policies.
  • User: An entity in IAM that represents a person or service that interacts with AWS.
  • Group: A collection of IAM users. You can attach policies to a group, granting permissions to all users in the group.
  • Role: An IAM identity that you can create with specific permissions. Roles are intended to be assumable by users, applications, or services.
  • Policy: A document that defines permissions. Policies are written in JSON and can be attached to users, groups, or roles. They specify what actions are allowed or denied on which resources.
What is the principle of Least Privilege in IAM?
  • The principle of least privilege means granting only the minimum permissions required for a user, group, or role to perform its intended tasks. This reduces the potential blast radius if credentials are compromised.
What is AWS KMS?
  • AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. KMS is integrated with many other AWS services to encrypt data stored in those services.
What is AWS CloudTrail?
  • AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It logs AWS API calls and related events made by a user, role, or AWS service, recording actions taken within your account.
What is Amazon CloudWatch?
  • Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, SREs, IT managers, and developers. It collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of your AWS resources, applications, and services.
Explain CloudWatch Metrics, Alarms, and Logs.
  • Metrics: Numerical data points collected over a period of time. AWS services automatically send metrics to CloudWatch. You can also publish custom metrics.
  • Alarms: Watch a single metric over time and perform one or more actions based on the value of the metric relative to a given threshold over a number of time periods.
  • Logs: Collect, monitor, store, and access your log files from EC2 instances, AWS CloudTrail, Route 53, and other sources.
What is AWS CloudFormation?
  • AWS CloudFormation is an Infrastructure as Code (IaC) service that helps you model and set up your AWS resources. You define your infrastructure in templates (YAML or JSON), and CloudFormation provisions and configures those resources in a safe and repeatable manner.
What is Infrastructure as Code (IaC)?
  • Infrastructure as Code (IaC) is the practice of managing and provisioning infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. It allows you to manage infrastructure like software code (versioning, testing, automation).
What is the difference between CloudFormation and Elastic Beanstalk?
  • CloudFormation: A general-purpose IaC tool for provisioning *any* AWS resource. It gives you fine-grained control over your infrastructure.
  • Elastic Beanstalk: A PaaS (Platform as a Service) that simplifies deploying and managing web applications. It handles provisioning underlying resources (EC2, load balancing, scaling) based on your application code. It's higher level than CloudFormation.
What is AWS Auto Scaling?
  • AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. It can scale EC2 instances, DynamoDB tables, RDS instances, and more.
What are the different types of scaling policies in EC2 Auto Scaling?
  • Simple Scaling: Adjusts capacity based on a single CloudWatch alarm threshold.
  • Step Scaling: Adjusts capacity based on a set of scaling adjustments that vary based on the size of the alarm breach.
  • Target Tracking Scaling: Scales based on a target value for a specific metric (e.g., maintain average CPU utilization at 60%). This is the recommended scaling policy.
  • Scheduled Scaling: Scales based on a schedule (e.g., scale up every Monday morning).
What is Amazon EBS?
  • Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2 instances. EBS volumes are network-attached storage and persist independently of the life of an EC2 instance.
What are different EBS Volume Types?
  • General Purpose SSD (gp2/gp3): Balances price and performance for a wide variety of transactional workloads.
  • Provisioned IOPS SSD (io1/io2): Highest-performance SSD volumes for mission-critical, IOPS-intensive applications.
  • Throughput Optimized HDD (st1): Low-cost HDD for frequently accessed, throughput-intensive workloads (big data, data warehouses).
  • Cold HDD (sc1): Lowest-cost HDD for less frequently accessed workloads (cold data).
What is an EBS Snapshot?
  • An EBS Snapshot is a point-in-time backup of an EBS volume. Snapshots are stored in S3 and are incremental (only the blocks that have changed since the last snapshot are stored). They can be used to restore a new EBS volume.
What is Amazon VPC Peering?
  • VPC Peering is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are in the same network. Peering connections are non-transitive.
What is AWS Lambda?
  • AWS Lambda is a serverless, event-driven compute service that lets you run code without provisioning or managing servers. You pay only for the compute time you consume.
What are some common use cases for AWS Lambda?
  • Processing S3 events (e.g., image resizing).
  • Processing DynamoDB stream events.
  • Responding to API Gateway requests (building serverless APIs).
  • Executing scheduled tasks (cron jobs).
  • Processing stream data (Kinesis).
What is the difference between Serverless and Managed Services?
  • Serverless: The underlying infrastructure is completely abstracted away. You don't manage servers, and you typically pay based on usage (compute time, requests). Examples: Lambda, S3, DynamoDB, API Gateway.
  • Managed Services: AWS manages the operational burden (hardware, software patching, backups, etc.), but you still interact with or configure underlying resources (like EC2 instances in RDS, or EC2 instances in Elastic Beanstalk).
What is Amazon SQS?
  • Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. It allows sending, storing, and receiving messages between software components.
What is the difference between SQS Standard and SQS FIFO queues?
  • SQS Standard: Offers maximum throughput and at-least-once delivery. Messages are not necessarily delivered in the exact order they are sent.
  • SQS FIFO (First-In, First-Out): Guarantees that messages are processed exactly once, in the exact order that they are sent. Has a lower throughput limit than Standard queues. Used when the order of operations and exactly-once processing are critical.
What is Amazon SNS?
  • Amazon Simple Notification Service (SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. It uses a publish-subscribe model where publishers send messages to a Topic, and subscribers receive messages published to that Topic.
What is the difference between SQS and SNS?
  • SQS: A message queuing service used for decoupling applications (one-to-one or one-to-many with polling). Consumers pull messages from the queue.
  • SNS: A publish-subscribe messaging service used for fanning out messages to multiple subscribers (one-to-many with push notifications). Subscribers are notified when a message is published.
What is AWS Systems Manager?
  • AWS Systems Manager is a collection of capabilities that helps you manage your applications and infrastructure running in the AWS Cloud and on-premises. It simplifies resource and application management, shortens the time to detect and resolve operational problems, and helps you operate and manage your infrastructure securely at scale.
What are some key capabilities of AWS Systems Manager?
  • Session Manager (secure shell access)
  • Run Command (remote command execution)
  • Patch Manager (automating OS patching)
  • Parameter Store (storing configuration data and secrets)
  • Automation (automating common IT tasks)
  • Distributor (packaging and distributing software)
What is AWS Trusted Advisor?
  • AWS Trusted Advisor is an online tool that provides you with real-time guidance to help you provision your resources following AWS best practices. It inspects your AWS environment and makes recommendations in five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits.
What is AWS Organizations?
  • AWS Organizations helps you centrally manage multiple AWS accounts. It allows you to consolidate billing, manage access, control compliance, and share resources across accounts.
What are Service Control Policies (SCPs) in AWS Organizations?
  • Service Control Policies (SCPs) are a type of policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. They do not grant permissions; they set guardrails by specifying the maximum permissions.
What is AWS Budgets?
  • AWS Budgets allows you to set custom budgets to track your costs and usage from the simplest to the most complex use cases. You can use AWS Budgets to set alerts when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.
What is AWS Cost Explorer?
  • AWS Cost Explorer is a tool that enables you to visualize, understand, and manage your AWS costs and usage over time. You can analyze your data at a high level (e.g., total costs and usage across all accounts) or dive deeper into your costs and usage data to identify trends, pinpoint cost drivers, and detect anomalies.
What is AWS WAF?
  • AWS Web Application Firewall (WAF) is a web application firewall that helps protect your web applications or APIs from common web exploits that could affect application availability, compromise security, or consume excessive resources. You can define customizable web security rules.
What is AWS Shield?
  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield Standard is automatically included at no extra cost. Shield Advanced provides enhanced protections for larger and more sophisticated attacks.
What is AWS GuardDuty?
  • AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
What is AWS Config?
  • AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
What is Amazon EKS?
  • Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. AWS manages the Kubernetes control plane.
What is Amazon ECS?
  • Amazon Elastic Container Service (ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. ECS is AWS's own orchestration service.
What is AWS Fargate?
  • AWS Fargate is a serverless compute engine for containers. It allows you to run containers without having to provision or manage EC2 instances. You only pay for the compute resources required to run your containers. Fargate can be used with both ECS and EKS.
What is Amazon ECR?
  • Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. It integrates with ECS, EKS, and Fargate.
What is AWS Step Functions?
  • AWS Step Functions is a serverless function orchestrator that makes it easy to sequence AWS Lambda functions and multiple AWS services into business-critical applications. It allows you to build and run workflows that stitch together microservices using visual workflows.
What is Amazon API Gateway?
  • Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It handles tasks such as traffic management, authorization and access control, throttling, monitoring, and API version management.
What is Amazon CloudWatch Events / EventBridge?
  • Amazon CloudWatch Events (now primarily EventBridge) is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. It routes events from AWS services, your own applications, and SaaS applications to targets such as Lambda functions, SQS queues, and SNS topics.
What is AWS Systems Manager Parameter Store?
  • AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. It's integrated with other AWS services.
What is the difference between Systems Manager Parameter Store and Secrets Manager?
  • Parameter Store: Free, good for storing configuration data and non-sensitive strings, can store secrets but rotation is manual.
  • Secrets Manager: Paid service, specifically designed for storing and rotating secrets (database credentials, API keys), integrates with RDS, Redshift, and DocumentDB for automatic secret rotation.
What is Amazon Sagemaker?
  • Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. It provides a comprehensive suite of tools for the entire ML lifecycle.
What is Amazon Redshift?
  • Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. It's optimized for analyzing large datasets using standard SQL and BI tools.
What is Amazon Athena?
  • Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard SQL. It's serverless, so there is no infrastructure to manage, and you pay only for the queries you run.
What is Amazon QuickSight?
  • Amazon QuickSight is a scalable, serverless, embeddable, ML-powered business intelligence (BI) service built for the cloud. It allows you to easily create and publish interactive BI dashboards.
What is AWS Direct Connect?
  • AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. This bypasses the public internet and provides a more consistent network experience.
What is AWS Transit Gateway?
  • AWS Transit Gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. It simplifies network management and scales your network architecture as you grow.
What is AWS Resource Groups?
  • AWS Resource Groups allow you to organize your AWS resources. You can group resources by tags, CloudFormation stacks, or resource type. Resource Groups make it easier to manage, monitor, and automate tasks on collections of resources.
What is AWS Tagging?
  • Tagging is the process of assigning metadata in the form of key-value pairs to AWS resources. Tags help you manage, identify, organize, search for, and filter resources. They are essential for cost allocation, automation, and access control.
What is AWS Service Catalog?
  • AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. This helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
What is AWS Config Rules?
  • AWS Config Rules are used to evaluate whether your AWS resource configurations comply with your desired settings. You can use predefined AWS managed rules or create your own custom rules (using Lambda functions).
What is the difference between horizontal and vertical scaling?
  • Horizontal Scaling: Adding more instances or nodes to a system (e.g., adding more EC2 instances to an Auto Scaling Group).
  • Vertical Scaling: Increasing the size or capacity of an existing instance or node (e.g., upgrading an EC2 instance to a larger instance type).
What is Idempotency in the context of AWS APIs or services?
  • Idempotency means that making the same request multiple times with the same parameters has the same effect as making the request once. Many AWS APIs are designed to be idempotent to handle retries and network issues without causing duplicate actions.
How do you handle state management in serverless applications (e.g., using Lambda)?
  • Serverless functions are typically stateless. State can be managed using external services like:
    • DynamoDB (for session state or application data)
    • S3 (for persistent storage)
    • RDS (for relational data)
    • Step Functions (for orchestrating stateful workflows)
    • ElastiCache (for caching state)
What is the purpose of a Bastion Host?
  • A Bastion Host (or jump server) is a server that sits in a public subnet and is used as a secure gateway to access instances in private subnets. You connect to the Bastion Host first (usually via SSH), and then from the Bastion Host, you connect to your private instances.
What is AWS Systems Manager Session Manager?
  • Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. It eliminates the need to open inbound ports, manage SSH keys, or use bastion hosts.
What is the difference between a Public and Private Hosted Zone in Route 53?
  • Public Hosted Zone: Contains records that specify how you want traffic to be routed on the internet to your domain (e.g., example.com).
  • Private Hosted Zone: Contains records that specify how you want traffic to be routed within your VPC(s) to your domain. This is useful for internal DNS resolution.
How do you monitor the health of instances behind an Elastic Load Balancer?
  • ELB uses Health Checks to determine the availability of the backend instances (targets). Health checks are configured on Target Groups and can use various protocols (HTTP, HTTPS, TCP) and paths to probe the target. Unhealthy instances are taken out of rotation.
What is the difference between an ALB and an NLB?
  • Application Load Balancer (ALB): Operates at the application layer (Layer 7). Ideal for HTTP/HTTPS traffic, microservices, and container-based applications. Supports path-based routing, host-based routing, and target groups.
  • Network Load Balancer (NLB): Operates at the transport layer (Layer 4). Ideal for TCP/UDP traffic requiring high performance and low latency. Preserves the client's source IP address.
What is AWS Global Accelerator?
  • AWS Global Accelerator is a networking service that sends your user's traffic through the AWS global network infrastructure, improving internet performance for your users by up to 60%. It uses static IP addresses as a fixed entry point and routes traffic to the optimal healthy endpoint in your application.
What is Amazon EFS?
  • Amazon Elastic File System (EFS) provides a simple, scalable, elastic file system for use with AWS Cloud services and on-premises resources. It's a shared file system that multiple EC2 instances can access concurrently.
When would you use EBS vs. S3 vs. EFS?
  • EBS: Block-level storage for a single EC2 instance. Ideal for operating systems, databases, and applications requiring persistent block storage.
  • S3: Object storage for unstructured data. Ideal for website assets, backups, archives, data lakes, and cloud-native application storage.
  • EFS: Shared file system for multiple EC2 instances. Ideal for use cases requiring concurrent access to a shared file system (e.g., content management systems, development environments).
What are Reserved Instances and Savings Plans?
  • Reserved Instances (RIs): Provide a significant discount (up to 75%) compared to On-Demand pricing in exchange for committing to a consistent amount of usage for a 1-year or 3-year term. RIs are purchased for specific instance types, regions, and platforms.
  • Savings Plans: Offer similar discounts (up to 72%) as RIs but provide more flexibility. You commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term. Savings Plans apply to EC2, Fargate, and Lambda usage, regardless of instance family, size, OS, or region (for EC2 Instance Savings Plans).
What are Spot Instances?
  • Spot Instances allow you to request unused EC2 capacity at steep discounts (up to 90%) compared to the On-Demand price. AWS can terminate Spot Instances with two minutes of notification when the capacity is needed elsewhere. They are suitable for fault-tolerant, flexible, or stateless workloads.
What is the EC2 Instance Metadata Service?
  • The Instance Metadata Service (IMDS) is a service running on each EC2 instance that allows the instance to query data about itself, such as instance ID, public keys, network interfaces, and IAM role credentials. It's accessible from the instance itself at a specific IP address (169.254.169.254).
What is AWS Systems Manager Session Manager? (revisited)
  • Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. It eliminates the need to open inbound ports, manage SSH keys, or use bastion hosts.
What is the difference between a Public and Private Hosted Zone in Route 53? (revisited)
  • Public Hosted Zone: Contains records that specify how you want traffic to be routed on the internet to your domain (e.g., example.com).
  • Private Hosted Zone: Contains records that specify how you want traffic to be routed within your VPC(s) to your domain. This is useful for internal DNS resolution.
How do you monitor the health of instances behind an Elastic Load Balancer? (revisited)
  • ELB uses Health Checks to determine the availability of the backend instances (targets). Health checks are configured on Target Groups and can use various protocols (HTTP, HTTPS, TCP) and paths to probe the target. Unhealthy instances are taken out of rotation.
What is the difference between an ALB and an NLB? (revisited)
  • Application Load Balancer (ALB): Operates at the application layer (Layer 7). Ideal for HTTP/HTTPS traffic, microservices, and container-based applications. Supports path-based routing, host-based routing, and target groups.
  • Network Load Balancer (NLB): Operates at the transport layer (Layer 4). Ideal for TCP/UDP traffic requiring high performance and low latency. Preserves the client's source IP address.
What is AWS Global Accelerator? (revisited)
  • AWS Global Accelerator is a networking service that sends your user's traffic through the AWS global network infrastructure, improving internet performance for your users by up to 60%. It uses static IP addresses as a fixed entry point and routes traffic to the optimal healthy endpoint in your application.
What is Amazon EFS? (revisited)
  • Amazon Elastic File System (EFS) provides a simple, scalable, elastic file system for use with AWS Cloud services and on-premises resources. It's a shared file system that multiple EC2 instances can access concurrently.
When would you use EBS vs. S3 vs. EFS? (revisited)
  • EBS: Block-level storage for a single EC2 instance. Ideal for operating systems, databases, and applications requiring persistent block storage.
  • S3: Object storage for unstructured data. Ideal for website assets, backups, archives, data lakes, and cloud-native application storage.
  • EFS: Shared file system for multiple EC2 instances. Ideal for use cases requiring concurrent access to a shared file system (e.g., content management systems, development environments).
What are Reserved Instances and Savings Plans? (revisited)
  • Reserved Instances (RIs): Provide a significant discount (up to 75%) compared to On-Demand pricing in exchange for committing to a consistent amount of usage for a 1-year or 3-year term. RIs are purchased for specific instance types, regions, and platforms.
  • Savings Plans: Offer similar discounts (up to 72%) as RIs but provide more flexibility. You commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term. Savings Plans apply to EC2, Fargate, and Lambda usage, regardless of instance family, size, OS, or region (for EC2 Instance Savings Plans).
What are Spot Instances? (revisited)
  • Spot Instances allow you to request unused EC2 capacity at steep discounts (up to 90%) compared to the On-Demand price. AWS can terminate Spot Instances with two minutes of notification when the capacity is needed elsewhere. They are suitable for fault-tolerant, flexible, or stateless workloads.
What is the EC2 Instance Metadata Service? (revisited)
  • The Instance Metadata Service (IMDS) is a service running on each EC2 instance that allows the instance to query data about itself, such as instance ID, public keys, network interfaces, and IAM role credentials. It's accessible from the instance itself at a specific IP address (169.254.169.254).
What is AWS Systems Manager Session Manager? (final revisit)
  • Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. It eliminates the need to open inbound ports, manage SSH keys, or use bastion hosts.
What is the difference between a Public and Private Hosted Zone in Route 53? (final revisit)
  • Public Hosted Zone: Contains records that specify how you want traffic to be routed on the internet to your domain (e.g., example.com).
  • Private Hosted Zone: Contains records that specify how you want traffic to be routed within your VPC(s) to your domain. This is useful for internal DNS resolution.
How do you monitor the health of instances behind an Elastic Load Balancer? (final revisit)
  • ELB uses Health Checks to determine the availability of the backend instances (targets). Health checks are configured on Target Groups and can use various protocols (HTTP, HTTPS, TCP) and paths to probe the target. Unhealthy instances are taken out of rotation.
What is the difference between an ALB and an NLB? (final revisit)
  • Application Load Balancer (ALB): Operates at the application layer (Layer 7). Ideal for HTTP/HTTPS traffic, microservices, and container-based applications. Supports path-based routing, host-based routing, and target groups.
  • Network Load Balancer (NLB): Operates at the transport layer (Layer 4). Ideal for TCP/UDP traffic requiring high performance and low latency. Preserves the client's source IP address.
What is AWS Global Accelerator? (final revisit)
  • AWS Global Accelerator is a networking service that sends your user's traffic through the AWS global network infrastructure, improving internet performance for your users by up to 60%. It uses static IP addresses as a fixed entry point and routes traffic to the optimal healthy endpoint in your application.
What is Amazon EFS? (final revisit)
  • Amazon Elastic File System (EFS) provides a simple, scalable, elastic file system for use with AWS Cloud services and on-premises resources. It's a shared file system that multiple EC2 instances can access concurrently.
When would you use EBS vs. S3 vs. EFS? (final revisit)
  • EBS: Block-level storage for a single EC2 instance. Ideal for operating systems, databases, and applications requiring persistent block storage.
  • S3: Object storage for unstructured data. Ideal for website assets, backups, archives, data lakes, and cloud-native application storage.
  • EFS: Shared file system for multiple EC2 instances. Ideal for use cases requiring concurrent access to a shared file system (e.g., content management systems, development environments).
What are Reserved Instances and Savings Plans? (final revisit)
  • Reserved Instances (RIs): Provide a significant discount (up to 75%) compared to On-Demand pricing in exchange for committing to a consistent amount of usage for a 1-year or 3-year term. RIs are purchased for specific instance types, regions, and platforms.
  • Savings Plans: Offer similar discounts (up to 72%) as RIs but provide more flexibility. You commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term. Savings Plans apply to EC2, Fargate, and Lambda usage, regardless of instance family, size, OS, or region (for EC2 Instance Savings Plans).
What are Spot Instances? (final revisit)
  • Spot Instances allow you to request unused EC2 capacity at steep discounts (up to 90%) compared to the On-Demand price. AWS can terminate Spot Instances with two minutes of notification when the capacity is needed elsewhere. They are suitable for fault-tolerant, flexible, or stateless workloads.
What is the EC2 Instance Metadata Service? (final revisit)
  • The Instance Metadata Service (IMDS) is a service running on each EC2 instance that allows the instance to query data about itself, such as instance ID, public keys, network interfaces, and IAM role credentials. It's accessible from the instance itself at a specific IP address (169.254.169.254).
What is AWS CodeCommit?
  • AWS CodeCommit is a fully managed source control service that hosts secure Git-based repositories. It eliminates the need to operate your own source control system or worry about scaling its infrastructure.
What is AWS CodeBuild?
  • AWS CodeBuild is a fully managed continuous integration service that compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. It scales automatically to meet peak build requests.
What is AWS CodeDeploy?
  • AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.
What is AWS CodePipeline?
  • AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. It automates the build, test, and deploy phases of your release process.
What is the purpose of a .gitignore file? (Relevant in the context of CodeCommit)
  • A .gitignore file is a plain text file where each line is a pattern for files and directories that Git should ignore. This prevents you from accidentally committing files like temporary files, build artifacts, or sensitive configuration.
What is AWS Secrets Manager? (final revisit)
  • AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
What is AWS Systems Manager Parameter Store? (final revisit)
  • AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. It's integrated with other AWS services.
What is the difference between Systems Manager Parameter Store and Secrets Manager? (final revisit)
  • Parameter Store: Free, good for storing configuration data and non-sensitive strings, can store secrets but rotation is manual.
  • Secrets Manager: Paid service, specifically designed for storing and rotating secrets (database credentials, API keys), integrates with RDS, Redshift, and DocumentDB for automatic secret rotation.
What is AWS Service Health Dashboard?
  • The AWS Service Health Dashboard provides the overall status of the AWS services. It shows if there are any ongoing issues or disruptions with AWS services globally.
What is AWS Personal Health Dashboard?
  • The AWS Personal Health Dashboard provides a personalized view of the health of the AWS services that you are using. It alerts you to events that might affect your specific AWS resources.
What is the purpose of a Load Balancer Listener?
  • A Load Balancer Listener is a process that checks for connection requests, using the protocol and port that you configure. It then forwards requests to one or more target groups, based on the rules that you define.
What is a Load Balancer Target Group?
  • A Target Group is used to route requests to one or more registered targets, such as EC2 instances, using the protocol and port number that you specify. You can define health checks per target group.
What is the difference between IAM Policies and Resource-Based Policies (like S3 Bucket Policies)?
  • IAM Policies: Attached to an IAM identity (user, group, role). They define what actions the identity is allowed or denied to perform on resources.
  • Resource-Based Policies: Attached to a resource (like an S3 bucket, SQS queue, or KMS key). They define what actions *principals* (users, accounts, services) are allowed or denied to perform on *that specific resource*.
What is Cross-Region Replication in S3?
  • Cross-Region Replication (CRR) is a feature that automatically replicates objects from a source S3 bucket in one AWS Region to a destination S3 bucket in a different AWS Region. It's used for disaster recovery, compliance, and reducing latency for users in different geographical locations.
What is the purpose of a NAT Gateway vs. a NAT Instance?
  • NAT Gateway: A managed AWS service. Highly available within an Availability Zone, scales automatically, less effort to manage, more expensive.
  • NAT Instance: An EC2 instance configured to perform NAT. Less available (single point of failure unless configured with HA), requires manual scaling, more effort to manage, potentially cheaper for low traffic. NAT Gateways are the recommended approach.
What is AWS Elastic Beanstalk? (final revisit)
  • AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with popular languages, platforms, and servers, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You simply upload your code, and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring.
What is AWS OpsWorks?
  • AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. You can use OpsWorks Stacks (similar to Chef Cookbooks) or OpsWorks for Chef Automate/Puppet Enterprise to automate server configuration and application deployment.
What is the difference between CloudFormation, Elastic Beanstalk, and OpsWorks?
  • CloudFormation: Infrastructure as Code for provisioning *any* AWS resource. Low-level control.
  • Elastic Beanstalk: Platform as a Service for deploying and managing web applications. Higher-level abstraction, focuses on application deployment.
  • OpsWorks: Configuration management service using Chef or Puppet. Focuses on server configuration and application deployment using existing tools.
What is AWS Directory Service?
  • AWS Directory Service for Microsoft Active Directory (Enterprise Edition) and Simple AD are managed services that make it easy to set up and run directories in the AWS Cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory.
What is Amazon Cognito?
  • Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. It scales to millions of users and supports sign-in with social identity providers (like Facebook, Google, Amazon) and enterprise identity providers (using SAML).
What is Amazon VPC Endpoints?
  • VPC Endpoints enable you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Traffic between your VPC and the other service does not leave the Amazon network.
What is AWS PrivateLink?
  • AWS PrivateLink is a technology that allows you to access services hosted on AWS or on-premises privately, without using public IPs, and without requiring the data to traverse the internet. It powers VPC Endpoints.
What is AWS Glue?
  • AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. It automatically discovers and catalogs metadata for your data (Data Catalog), generates Python or Scala ETL code, and runs the ETL jobs.
What is AWS Lake Formation?
  • AWS Lake Formation is a service that makes it easy to set up a secure data lake in days. A data lake is a centralized, curated, and secured repository that stores all your data, both in its original form and prepared for analysis. Lake Formation simplifies the process of building, securing, and managing data lakes.
What is the difference between a Data Warehouse (like Redshift) and a Data Lake (on S3)?
  • Data Warehouse: Structured data, optimized for SQL queries and reporting, schema-on-write.
  • Data Lake: Raw, unstructured, semi-structured, and structured data, schema-on-read, allows for diverse analytics approaches (SQL, machine learning, etc.). Typically built on S3.
What is AWS Certificate Manager (ACM)?
  • AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
How do you secure sensitive data at rest and in transit on AWS?
  • At Rest: Use encryption for storage services (S3, EBS, RDS, EFS, DynamoDB) using KMS or service-managed keys. Encrypt databases and file systems.
  • In Transit: Use TLS/SSL for communication (HTTPS for web traffic, SSL for databases). Use VPNs or Direct Connect with encryption for private network connections.
What is AWS Snowball?
  • AWS Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS. It's used when transferring data over the internet is cost-prohibitive, time-consuming, or insecure.
What is AWS Outposts?
  • AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to customer premises. It allows you to run some AWS services locally while seamlessly connecting to the broader range of services in the AWS cloud.
What is the AWS Well-Architected Framework?
  • The AWS Well-Architected Framework provides guidance to help you design and operate reliable, secure, efficient, and cost-effective systems in the AWS Cloud. It is based on five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization.
Explain the five pillars of the AWS Well-Architected Framework.
  • Operational Excellence: Ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
  • Security: Ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
  • Reliability: Ability of a system to perform its intended function correctly and consistently when it’s expected to.
  • Performance Efficiency: Ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
  • Cost Optimization: Ability to avoid unnecessary costs.
What is AWS Systems Manager Automation?
  • AWS Systems Manager Automation allows you to safely automate common IT tasks across your AWS resources and on-premises resources. You can use predefined runbooks or create your own to perform tasks like restarting EC2 instances, applying patches, or updating AMIs.
What is AWS CodeStar? (final revisit)
  • AWS CodeStar is a cloud-based service that provides a unified user interface, enabling you to easily manage your software development activities in one place. You can quickly set up a continuous delivery toolchain for applications on AWS, choosing from various templates for different project types.
What is the difference between a public and private IP address in AWS?
  • Public IP Address: An IP address that is reachable from the internet. Assigned directly to an instance or associated with an Elastic IP.
  • Private IP Address: An IP address that is only reachable from within the VPC. Assigned to an instance's primary network interface (ENI).
What is an Elastic IP (EIP)?
  • An Elastic IP address is a static public IP address that you can allocate in a region and associate with an EC2 instance or network interface. Unlike a public IP address that changes when an instance is stopped and started, an EIP remains associated with your account until you release it. Useful for providing a fixed endpoint for your instance.
What is a Security Group Egress Rule?
  • An Egress Rule in a Security Group controls the outbound traffic from your EC2 instances. By default, Security Groups have an allow-all outbound rule.
What is a NACL Rule?
  • A NACL Rule is a rule in a Network Access Control List that specifies whether to allow or deny inbound or outbound traffic based on protocol, port range, source/destination IP address, and an associated rule number. Rules are evaluated in order.
What is the purpose of a Bastion Host? (final revisit)
  • A Bastion Host (or jump server) is a server that sits in a public subnet and is used as a secure gateway to access instances in private subnets. You connect to the Bastion Host first (usually via SSH), and then from the Bastion Host, you connect to your private instances.
What is AWS Systems Manager Session Manager? (final revisit)
  • Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. It eliminates the need to open inbound ports, manage SSH keys, or use bastion hosts.