1.What is the difference between EC2, ECS, and Lambda? When would you use each?
easyHow to approach thisEC2: full virtual machines you manage (OS, patches, scaling). ECS: managed container orchestration (you manage containers, AWS manages the cluster). Lambda: serverless functions (no servers to manage, pay per invocation). Use EC2 for long-running stateful workloads, ECS for containerized microservices, Lambda for event-driven short-duration tasks.
2.Explain the shared responsibility model in AWS.
easyHow to approach thisAWS is responsible for security OF the cloud (physical infrastructure, hypervisor, networking, managed service internals). You are responsible for security IN the cloud (IAM policies, network configuration, data encryption, application security, OS patching for EC2). The boundary shifts depending on the service: more managed = less your responsibility.
3.How would you design a highly available architecture on AWS?
mediumHow to approach thisMulti-AZ deployment: distribute resources across at least 2 Availability Zones. Use an Application Load Balancer to distribute traffic. RDS Multi-AZ for database failover. Auto Scaling Groups for compute. S3 for durable storage (automatically replicated). Route 53 health checks for DNS failover. For global availability, use multi-region with Route 53 latency-based routing.
4.What is an IAM role, and how does it differ from an IAM user?
easyHow to approach thisAn IAM user has long-term credentials (password, access keys) and represents a person or application. A role has temporary credentials (STS tokens) and is assumed by entities (EC2 instances, Lambda functions, other accounts). Best practice: use roles for AWS services (never put access keys on EC2), and use roles with external identity providers for human access.
5.How would you reduce AWS costs for a production workload?
mediumHow to approach thisRight-size instances (use Compute Optimizer recommendations). Use Reserved Instances or Savings Plans for steady-state workloads (up to 72% savings). Spot Instances for fault-tolerant batch jobs. Delete unused EBS volumes and snapshots. Use S3 lifecycle policies to move old data to cheaper storage classes. Enable Cost Explorer and set billing alerts. Consider Graviton (ARM) instances for better price-performance.
6.Explain the difference between S3 storage classes and when to use each.
mediumHow to approach thisStandard: frequent access, low latency. Intelligent-Tiering: automatically moves objects between tiers based on access patterns. Standard-IA: infrequent access, lower cost, retrieval fee. One Zone-IA: same but single AZ (lower durability). Glacier Instant: archive with millisecond retrieval. Glacier Flexible: minutes to hours retrieval. Glacier Deep Archive: cheapest, 12-48 hour retrieval.
7.How does a VPC work, and how would you design one for a three-tier application?
mediumHow to approach thisA VPC is your isolated network in AWS. Design: public subnets (ALB, NAT Gateway) with internet access via Internet Gateway, private subnets (application servers) with outbound-only access via NAT Gateway, and isolated subnets (databases) with no internet access. Use security groups (instance-level) and NACLs (subnet-level) for defense in depth.
8.What is the difference between SQS and SNS? When would you use each?
mediumHow to approach thisSQS is a message queue (point-to-point, consumers pull messages, guaranteed delivery, ordering). SNS is a pub/sub notification service (one-to-many, pushes to subscribers: Lambda, SQS, HTTP, email). Use SQS for decoupling services with a work queue. Use SNS for fan-out (one event triggers multiple downstream services). They are often used together: SNS publishes to multiple SQS queues.
9.How would you migrate a monolithic application to AWS?
hardHow to approach thisFollow the 6 R's: Rehost (lift and shift to EC2), Replatform (move to managed services like RDS, ECS), Refactor (redesign as microservices), Repurchase (switch to SaaS), Retire (decommission unused parts), Retain (keep on-premises). Start with rehosting for quick wins, then gradually replatform and refactor the most impactful components. Use AWS Migration Hub to track progress.
10.Explain how AWS Auto Scaling works and how you would configure it.
mediumHow to approach thisAuto Scaling adjusts the number of EC2 instances based on demand. Configure: launch template (AMI, instance type), min/max/desired capacity, and scaling policies. Target tracking (maintain CPU at 70%) is simplest. Step scaling (add 2 instances when CPU > 80%) gives more control. Predictive scaling uses ML to pre-scale before expected demand spikes. Always pair with a health check.
11.What is CloudFormation, and how does it compare to Terraform?
mediumHow to approach thisCloudFormation is AWS-native IaC using YAML/JSON templates. Terraform is multi-cloud IaC using HCL. CloudFormation has deeper AWS integration (drift detection, stack sets for multi-account). Terraform supports multiple providers, has a richer module ecosystem, and a more readable language. Choose CloudFormation for AWS-only shops; Terraform for multi-cloud or if your team prefers HCL.
12.How would you secure an S3 bucket that should only be accessible by a specific application?
mediumHow to approach thisDefault deny: S3 buckets are private by default. Use a bucket policy to allow access only from a specific IAM role (the application's role). Block public access at the account level. Enable server-side encryption (SSE-S3 or SSE-KMS). Enable S3 access logging. Use VPC endpoints if the application is in a VPC to keep traffic off the public internet.