Interview Questions
A curated set of AWS interview questions grouped by domain. Each answer is deliberately concise - enough to demonstrate understanding in a real interview without rambling. Aim to explain the why, not just recite the definition.
Core & Global Infrastructure
What is the difference between a Region and an Availability Zone? A Region is an isolated geographic area; an Availability Zone is one or more discrete data centers within a Region with independent power and networking. Regions isolate for compliance and fault domains; AZs let you build highly available systems inside one Region.
Why deploy across multiple AZs? A single AZ is a single point of failure. Spreading resources across two or more AZs lets your application survive a full data-center outage with no downtime.
What is an Edge Location? A point of presence used by CloudFront and Route 53 to cache and serve content close to end users, reducing latency. There are far more edge locations than Regions.
What is the shared responsibility model? AWS secures the cloud (hardware, hypervisor, facilities); the customer secures what’s in the cloud (data, IAM, OS patching, configuration). The line shifts with how managed the service is.
IAM & Security
Explain the difference between an IAM user and an IAM role. A user is a long-lived identity with permanent credentials, meant for humans. A role has no permanent credentials; trusted entities assume it to receive temporary, auto-rotated credentials - ideal for applications and cross-account access.
What is the principle of least privilege? Granting only the permissions strictly required for a task. It minimizes blast radius if a credential is compromised.
How is an IAM policy evaluated when allows and denies conflict? Everything is implicitly denied by default. An explicit Allow grants access, but an explicit Deny always overrides any Allow.
Why should you avoid using the root user? It has unrestricted access that cannot be limited by policy. Use it only for the few tasks that require it, protect it with MFA, and operate day-to-day as a least-privilege IAM identity.
How should applications on EC2 authenticate to AWS? With an IAM role attached via an instance profile - never hard-coded access keys. The role delivers short-lived, auto-rotated credentials.
What is MFA and where should it be enforced? A second authentication factor beyond a password. Enforce it on the root user and all privileged identities, and gate sensitive actions behind an MFA condition.
Compute
What is the difference between an AMI and an instance? An AMI is the immutable template (OS + software + config) an instance boots from; an instance is the running VM created from that template.
Compare On-Demand, Reserved/Savings Plans, and Spot pricing. On-Demand is flexible and pay-per-use. Reserved/Savings Plans give large discounts for a 1-3 year commitment on steady workloads. Spot offers up to ~90% off using spare capacity but can be reclaimed with a 2-minute warning - good only for interruptible work.
What is EC2 user data? A script that runs once on first boot to bootstrap an instance (install packages, fetch config, start services).
What is the difference between stopping and terminating an instance? Stopping halts the instance but keeps its EBS root volume (you can restart it). Terminating deletes the instance and, by default, its root volume.
When would you choose Lambda over EC2 or containers? For event-driven, spiky, short (<15 min) workloads where you want zero server management and scale-to-zero. Choose containers/EC2 for long-running, steady, or specialized-hardware workloads.
Storage
How durable is S3 and what does that mean? S3 is designed for 11 nines of durability by replicating objects across multiple devices and AZs. It protects against hardware loss - but not against accidental deletion, which is why versioning matters.
What is the difference between a bucket policy and an IAM policy? A bucket policy is a resource-based policy attached to the bucket (defines who can access it). An IAM policy is identity-based, attached to a user/role (defines what that principal can access). For public buckets, only a bucket policy applies.
How do you reduce S3 storage costs? Use lifecycle rules to transition objects to cheaper classes (Standard-IA, Glacier) and expire old data, or use Intelligent-Tiering when access patterns are unpredictable.
EBS vs S3 - when do you use each? EBS is block storage attached to a single EC2 instance, like a virtual disk for an OS or database. S3 is object storage accessed over HTTP, for files, backups, and static assets at internet scale.
Networking
What is the difference between an Internet Gateway and a NAT Gateway? An Internet Gateway enables bidirectional internet access for public subnets. A NAT Gateway lets private-subnet resources make outbound connections only, while blocking inbound traffic from the internet.
Security Group vs Network ACL - what’s the difference? Security groups are stateful, instance-level, allow-only firewalls. NACLs are stateless, subnet-level, and support both allow and deny rules evaluated in order. Security groups are the primary control; NACLs are coarse guardrails.
What makes a subnet public or private?
Its route table. A subnet is public if it routes 0.0.0.0/0 to an Internet Gateway; otherwise it’s private.
What is a VPC Endpoint and why use one? It connects your VPC privately to AWS services (like S3 or DynamoDB) without traversing the internet or a NAT Gateway, improving security and cutting data-processing costs.
Serverless
What is a cold start and how do you mitigate it? The latency of initializing a fresh Lambda execution environment on first/scaled invocation. Mitigate with lightweight runtimes, small packages, init outside the handler, and Provisioned Concurrency for latency-sensitive endpoints.
What are the invocation models for Lambda? Synchronous (caller waits, e.g. API Gateway), asynchronous (queued with retries, e.g. S3/SNS), and poll-based/stream (Lambda polls and batches, e.g. SQS/Kinesis).
What does “serverless” actually mean? You run code without provisioning or managing servers. AWS handles scaling, patching, and availability; you manage only your code and configuration, and you pay only for what you use.