AWS Interview Questions

Q: What is the difference between horizontal and vertical scaling?

Vertical scaling (scale up) — add more resources to the same instance (bigger EC2 instance). Has limits and usually requires downtime. Horizontal scaling (scale out) — add more instances. AWS Auto Scaling, ECS, and Kubernetes do this automatically. Horizontal scaling is preferred for availability and fault tolerance.

Q: What is the difference between SQS and SNS?

SQS (queue) — a single consumer pulls messages; messages persist until processed; used for decoupling and work distribution. SNS (pub/sub) — pushes to multiple subscribers simultaneously (Lambda, SQS, HTTP, email); no persistence. Common pattern: SNS topic → multiple SQS queues (fan-out) so each subscriber processes independently.

Q: What are availability zones and regions?

A Region is a geographic area (us-east-1, eu-west-1) containing multiple Availability Zones (AZs). An AZ is one or more discrete data centers with redundant power, networking, and connectivity. AZs within a region are physically separated but connected with low-latency fiber. Deploy across multiple AZs for high availability; multiple regions for disaster recovery.

Q: What is IAM and how does it work?

Identity and Access Management controls who (authentication) can do what (authorization) in AWS. Core concepts: Users (humans/apps with long-term credentials), Groups (users with shared permissions), Roles (temporary credentials assumed by services, Lambda, EC2, CI/CD), Policies (JSON documents defining allowed/denied actions on resources). Best practice: never use root account, use roles for services, apply least privilege.

Q: What is the difference between Lambda and EC2?

EC2 is a managed VM — you control the OS, runtime, scaling. Always-on, charged per hour. Lambda is serverless — you provide only the function code. AWS handles infrastructure, scaling (to thousands of concurrent invocations), and you pay only per invocation + duration. Lambda cold starts can add latency (100ms-2s); not suitable for long-running or memory-intensive workloads (15-min limit, 10GB RAM max).

Q: What is a VPC and why is it important?

A Virtual Private Cloud is your isolated section of AWS. Public subnets have internet access via an Internet Gateway; private subnets don't (use NAT Gateway for outbound). Security Groups (stateful firewall per resource) and NACLs (stateless per subnet) control traffic. Keep databases in private subnets, load balancers in public subnets.

Core AWS Services

Compute

• EC2 — virtual machines; choose instance type (t3.micro, c6i.large, etc.), AMI, VPC, security groups

• ECS / EKS — container orchestration; ECS is AWS-native, EKS is managed Kubernetes

• Lambda — serverless functions; event-driven, pay per invocation, 15-min max duration

• Fargate — serverless containers (no EC2 to manage); works with ECS and EKS

• Auto Scaling — automatically scale EC2 instances based on metrics (CPU, custom CloudWatch)

Storage

• S3 — object storage; buckets, objects, versioning, lifecycle policies, 11 nines durability

• EBS — block storage for EC2 (like a hard drive); SSD (gp3) or HDD; AZ-specific

• EFS — managed NFS; shared across multiple EC2 instances, auto-scaling

• CloudFront — CDN; edge caching for S3, EC2, APIs; 450+ edge locations

Databases

• RDS — managed relational DB: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server

• Aurora — AWS-built MySQL/PostgreSQL-compatible; faster, auto-scaling storage, serverless option

• DynamoDB — managed NoSQL key-value + document store; single-digit ms latency at any scale

• ElastiCache — managed Redis or Memcached

Networking

• VPC — Virtual Private Cloud; isolated network with subnets, route tables, internet gateways

• Route 53 — DNS + health checking + routing policies (latency, geo, failover, weighted)

• ALB — Application Load Balancer; HTTP/HTTPS, path/host routing, WebSocket, sticky sessions

• API Gateway — managed API front-end; REST/HTTP/WebSocket APIs, auth, throttling, caching

Messaging & Events

• SQS — managed message queue; standard (at-least-once) or FIFO (exactly-once, ordered)

• SNS — pub/sub; fan-out to multiple SQS, Lambda, HTTP, email, SMS endpoints

• EventBridge — serverless event bus; route events between AWS services, SaaS, custom apps

Security & Identity

• IAM — users, groups, roles, policies (JSON); principle of least privilege

• Secrets Manager — store, rotate, and retrieve secrets (DB passwords, API keys)

• Cognito — managed user auth (user pools) + identity federation (identity pools)

• ACM — free SSL/TLS certificates for CloudFront, ALB, API Gateway

S3, Lambda & IAM Patterns

S3 — Key Operations (AWS CLI)

# Create / manage buckets
aws s3 mb s3://my-bucket
aws s3 rb s3://my-bucket --force

# Copy / sync
aws s3 cp ./dist s3://my-bucket/dist/ --recursive
aws s3 cp s3://my-bucket/file.txt ./local/
aws s3 sync ./dist s3://my-bucket/ --delete  # delete files not in source
aws s3 sync s3://src-bucket s3://dst-bucket  # bucket-to-bucket

# List / delete
aws s3 ls s3://my-bucket/
aws s3 rm s3://my-bucket/old-file.txt
aws s3 rm s3://my-bucket/logs/ --recursive

# Presigned URL (temporary access)
aws s3 presign s3://my-bucket/private-file.pdf --expires-in 3600

# Set public static website hosting
aws s3 website s3://my-bucket/ --index-document index.html --error-document error.html

# S3 bucket policy (public read)
{
  "Version": "2012-10-17",
  "Statement": [{"Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}]
}

Lambda

// Lambda handler (Node.js)
export const handler = async (event, context) => {
  console.log('Event:', JSON.stringify(event, null, 2));

  // API Gateway event
  const { httpMethod, path, queryStringParameters, body } = event;
  const data = body ? JSON.parse(body) : null;

  // S3 event
  const bucket = event.Records[0].s3.bucket.name;
  const key = decodeURIComponent(event.Records[0].s3.object.key);

  // SQS event
  for (const record of event.Records) {
    const message = JSON.parse(record.body);
    await processMessage(message);
  }

  return {
    statusCode: 200,
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ message: 'Success' }),
  };
};

// Environment variables
const db = process.env.DATABASE_URL;

// AWS SDK v3
import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3';
const s3 = new S3Client({ region: 'us-east-1' });
const obj = await s3.send(new GetObjectCommand({ Bucket: 'my-bucket', Key: 'file.txt' }));

IAM — Roles & Policies

// IAM Policy — allow Lambda to read S3 and write CloudWatch Logs
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    }
  ]
}

// Trust policy — who can assume this role
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "Service": "lambda.amazonaws.com" },
    "Action": "sts:AssumeRole"
  }]
}

Cost Optimization Tips

• Use Reserved Instances or Savings Plans for predictable workloads (up to 72% off On-Demand)

• Use Spot Instances for fault-tolerant batch workloads (up to 90% off)

• S3 lifecycle policies — move old data to S3-IA or Glacier

• Enable S3 Intelligent-Tiering for unpredictable access patterns

• CloudFront reduces S3 data transfer costs (CloudFront egress is cheaper)

• Right-size EC2 instances using AWS Compute Optimizer recommendations