AWS Interview Questions
AWS is the most common cloud topic in DevOps, backend, and cloud-engineer interviews. These are the questions interviewers actually ask, with concise answers you can speak confidently.
17 questions with concise, interview-ready answers.
1. What is AWS, and what are IaaS, PaaS, and SaaS?
AWS (Amazon Web Services) is a cloud platform offering on-demand compute, storage, networking, databases, and other services on a pay-as-you-go basis. Cloud services fall into three models: IaaS (Infrastructure as a Service) gives you raw building blocks like virtual machines and networking — EC2 is an example; PaaS (Platform as a Service) manages the underlying infrastructure so you just deploy code — Elastic Beanstalk is an example; SaaS (Software as a Service) delivers a finished application over the internet, like Gmail.
2. What is Amazon EC2?
EC2 (Elastic Compute Cloud) provides resizable virtual servers, called instances, in the cloud. You choose an AMI (machine image), an instance type that sets CPU and memory, and pay only for what you use. Pricing options include On-Demand, Reserved Instances, Savings Plans, and Spot Instances for cheap interruptible workloads.
3. What is Amazon S3, and what are its storage classes?
S3 (Simple Storage Service) is object storage for files of any size, organized into buckets, with very high durability (11 nines). Storage classes let you trade cost against access speed: S3 Standard for frequent access, Standard-IA and One Zone-IA for infrequent access, Intelligent-Tiering for automatic optimization, and Glacier / Glacier Deep Archive for cheap long-term archival.
4. What is the difference between EBS, S3, and EFS?
EBS (Elastic Block Store) is block storage attached to a single EC2 instance, like a virtual hard disk, ideal for databases and boot volumes. S3 is object storage accessed over HTTP APIs, best for files, backups, and static assets. EFS (Elastic File System) is a managed shared file system (NFS) that many EC2 instances can mount at the same time.
5. What is a VPC?
A VPC (Virtual Private Cloud) is a logically isolated section of the AWS network where you launch resources with full control over IP ranges, subnets, route tables, and gateways. You typically split it into public subnets (with internet access via an internet gateway) and private subnets (which reach the internet through a NAT gateway). It is the networking foundation of most AWS architectures.
6. What is the difference between a security group and a network ACL?
A security group is a stateful firewall attached to an instance (or ENI): return traffic is automatically allowed, and it supports only allow rules. A network ACL is a stateless firewall at the subnet level: it evaluates inbound and outbound traffic separately and supports both allow and deny rules. Security groups are your first line of defense; NACLs add a broader subnet-wide layer.
7. What is IAM, and what are users, roles, and policies?
IAM (Identity and Access Management) controls who can do what in your AWS account. Users are long-lived identities for people or applications with their own credentials; roles are temporary identities that can be assumed by users, services, or EC2 instances without permanent keys; policies are JSON documents that grant or deny specific permissions. Best practice is to grant least privilege and use roles instead of embedding access keys.
8. What is AWS Lambda and serverless computing?
Lambda lets you run code without provisioning or managing servers — you upload a function, and AWS runs it in response to events such as an API call, S3 upload, or queue message. You pay only for the compute time consumed, and it scales automatically. This is the core of serverless computing, where the cloud provider handles capacity, patching, and scaling.
9. What is Auto Scaling in AWS?
Auto Scaling automatically adjusts the number of EC2 instances to match demand, using an Auto Scaling group with minimum, desired, and maximum capacity. Scaling policies add or remove instances based on metrics like CPU utilization or request count, and it can replace unhealthy instances. This keeps applications available during spikes while controlling cost during quiet periods.
10. What are the types of Elastic Load Balancer?
AWS offers three main load balancers: the Application Load Balancer (ALB) operates at Layer 7 and routes HTTP/HTTPS traffic by path or host; the Network Load Balancer (NLB) operates at Layer 4 for very high-throughput TCP/UDP traffic; and the Gateway Load Balancer (GWLB) is used to deploy third-party virtual appliances. The older Classic Load Balancer is now legacy.
11. What is the difference between RDS and DynamoDB?
RDS (Relational Database Service) is a managed relational database supporting engines like MySQL, PostgreSQL, and Aurora, ideal for structured data and SQL queries with joins. DynamoDB is a fully managed NoSQL key-value and document database that delivers single-digit-millisecond latency at any scale. Choose RDS for relational, transactional workloads and DynamoDB for high-scale, flexible-schema, low-latency needs.
12. What is Amazon CloudFront?
CloudFront is AWS's content delivery network (CDN) that caches content at edge locations close to users to reduce latency. It serves static and dynamic content, supports HTTPS, and commonly sits in front of S3 buckets or load balancers. It also integrates with AWS Shield and WAF for security at the edge.
13. What is Amazon Route 53?
Route 53 is AWS's scalable DNS and domain-registration service. Beyond resolving domain names, it supports routing policies such as simple, weighted, latency-based, failover, and geolocation routing. Combined with health checks, it enables DNS-level failover and traffic distribution across regions.
14. What is the difference between a region and an availability zone?
A region is a separate geographic area, such as us-east-1, that contains multiple isolated data centers. An availability zone (AZ) is one or more discrete data centers within a region, each with independent power and networking. Deploying across multiple AZs gives you high availability, while using multiple regions adds disaster recovery and lower latency for global users.
15. What is Amazon CloudWatch?
CloudWatch is AWS's monitoring and observability service for metrics, logs, and events. It collects metrics like CPU and memory, stores application logs, and can trigger alarms that notify you or invoke actions such as Auto Scaling. CloudWatch Events / EventBridge can also run scheduled or event-driven automation.
16. What is the difference between SQS and SNS?
SQS (Simple Queue Service) is a message queue where consumers pull messages and process them, decoupling producers from consumers — a one-to-one, pull-based pattern. SNS (Simple Notification Service) is a publish/subscribe service that pushes a message to many subscribers at once — a one-to-many, push-based fan-out pattern. They are often combined (SNS to multiple SQS queues) for reliable fan-out.
17. What is the AWS shared responsibility model?
The shared responsibility model splits security duties between AWS and the customer. AWS is responsible for security "of" the cloud — the physical hardware, networking, and managed-service infrastructure. The customer is responsible for security "in" the cloud — their data, access management (IAM), OS patching on EC2, encryption, and firewall configuration.
Get these answered live in your real interview
NostrobeAI is a real-time AI interview copilot — it hears the question and drafts a strong answer on your screen, invisible on Zoom, Meet, and Teams. One-time pricing, no subscription.
Try NostrobeAI free