AWS is one of the most popular and widely used cloud platforms in the world. It offers a variety of services and solutions for different needs and scenarios. Whether you are a beginner or an expert, you might encounter some AWS interview questions in your job search or career development.
In this blog post, I will share with you thirteen common AWS interview questions and answers that can help you prepare for your next interview.
Let's go!
1. Name 5 AWS services you’ve used and their use cases.
Some of the AWS services that I have used are:
Amazon EC2: This is a service that provides scalable and secure compute capacity in the cloud. I have used it to launch and run virtual servers for various applications, such as web hosting, data processing, and machine learning.
Amazon S3: This is a service that provides durable and highly available object storage in the cloud. I have used it to store and retrieve any kind of data, such as images, videos, documents, and backups.
Amazon RDS: This is a service that manages relational databases in the cloud. I have used it to create and operate MySQL, PostgreSQL, Oracle, and SQL Server databases for my applications.
Amazon Lambda: This is a service that lets you run code without provisioning or managing servers. I have used it to create serverless functions that respond to events, such as HTTP requests, S3 uploads, DynamoDB updates, and SNS messages.
Amazon CloudFormation: This is a service that lets you model and provision AWS resources using templates. I have used it to automate and standardize the deployment and configuration of my AWS infrastructure.
2. What tools send logs to the cloud environment?
Various tools can send logs to the cloud environment, depending on the source and destination of the logs. Some of the tools that I have used or heard of are:
AWS CloudWatch Logs: This is a service that monitors and stores logs from AWS resources and applications. I have used it to collect and analyze logs from my EC2 instances, Lambda functions, and other AWS services.
AWS CloudTrail: This is a service that records and delivers API activity and events in your AWS account. I have used it to audit and track the actions performed by users, roles, and services in my AWS account.
Fluentd: This is an open-source tool that collects and forwards logs from various sources to various destinations. I have used it to send logs from my EC2 instances and containers to S3, CloudWatch Logs, and Elasticsearch.
Logstash: This is an open-source tool that processes and ships logs from various sources to various destinations. I have used it to send logs from my EC2 instances and containers to S3, CloudWatch Logs, and Elasticsearch.
Filebeat: This is an open-source tool that collects and forwards logs from files and streams. I have used it to send logs from my EC2 instances and containers to Logstash, Elasticsearch, and Kafka.
3. Explain IAM Roles. How do you create/manage them?
An IAM role is a set of permissions that allows an IAM user or another service to perform certain actions on AWS resources. An IAM role can be assumed by other entities without requiring their credentials, while an IAM user always requires its credentials to access AWS resources.
To create and manage IAM roles, you can use the AWS Management Console, the AWS CLI, or the AWS SDKs. The general steps are:
Create a role by specifying the trusted entity (such as an AWS service, an external identity provider, or another AWS account) that can assume the role, and the permissions (such as policies or permissions boundaries) that the role grants.
Attach the role to the entity that needs to assume it, such as an EC2 instance, a Lambda function, or a user in another AWS account.
Optionally, configure the role settings, such as the maximum session duration, the tags, or the description.
Monitor and audit the role activity using CloudTrail, CloudWatch, or IAM Access Analyzer.
4. How do you upgrade/downgrade a system with zero downtime?
Upgrading or downgrading a system means changing its configuration or version without affecting its availability or functionality.
One way to achieve zero downtime upgrade or downgrade is using a blue/green deployment strategy. This involves creating two identical copies of your system (one old version and one new version) in separate environments (such as staging and production). Then, you swap traffic between these environments gradually until all users are redirected to the new version.
To perform a blue/green deployment with zero downtime upgrade or downgrade using AWS services:
Create two instances of your system in different regions using Amazon EC2.
Configure each instance with the same settings as your original system.
Configure each instance with different versions of software or configuration files as needed.
Configure each instance with different load balancers or DNS records as needed.
Configure each instance with different security groups or network ACLs as needed.
Configure each instance with different tags or metadata as needed.
Test each instance separately by accessing them from different locations.
Monitor each instance’s performance and health using Amazon CloudWatch.
Start swapping traffic between instances gradually until all users are redirected to the new version.
5. Define infrastructure as code and explain its usage.
Infrastructure as code (IaC) is a practice of defining and managing infrastructure using code instead of manual processes or graphical interfaces. IaC enables automation, consistency, scalability, reliability, security, collaboration, and compliance for infrastructure provisioning and management.
To use IaC with AWS:
Choose one of the supported tools for IaC such as Terraform, Ansible, Chef, Puppet, CloudFormation, etc.
Install and configure the tool according to its documentation.
Write code that defines your infrastructure resources such as EC2 instances, VPCs, S3 buckets, etc.
Validate your code using syntax checkers, linters, formatters, etc.
Apply your code using commands, scripts, workflows, etc.
Review your infrastructure state using dashboards, reports, logs, etc.
6. Describe load balancers. Provide scenarios of each type based on your experience.
Load balancers are devices or services that distribute incoming traffic across multiple servers or instances to improve performance, availability, and reliability. Different types of load balancers can be used for different purposes and scenarios. Some of the common types are:
HTTP(S) load balancers: These are load balancers that handle HTTP(S) requests from clients and route them to the appropriate backend servers based on the URL path, hostname, or other criteria. They can also perform SSL termination, caching, compression, and other functions to optimize the web application performance and security. Some examples of HTTP(S) load balancers are AWS Elastic Load Balancing (ELB), Cloudflare Load Balancer, and Nginx Ingress Controller.
TCP/UDP load balancers: These are load balancers that handle TCP/UDP packets from clients and route them to the appropriate backend servers based on the source and destination IP addresses, ports, or other criteria. They can also perform protocol conversion, encryption, decryption, and other functions to optimize the network communication performance and security. Some examples of TCP/UDP load balancers are AWS Network Load Balancer (NLB), Cloudflare Workers, and HAProxy.
Database load balancers: These are load balancers that handle database queries from clients and route them to the appropriate database servers based on the database name, schema name, table name, or other criteria. They can also perform database replication, failover, scaling, and other functions to optimize the database's performance and availability. Some examples of database load balancers are AWS Database Load Balancer (DBLB), Cloud SQL Proxy, and MongoDB Atlas.
Application layer proxies: These are load balancers that handle application requests from clients and route them to the appropriate backend servers based on the application logic or business rules. They can also perform application transformation, routing optimization, logging analysis, and other functions to optimize the application performance and functionality. Some examples of application layer proxies are AWS Application Load Balancer (ALB), Cloudflare Workers API Gateway, and Apache Traffic Server.
I have used these types of load balancers in my previous projects as a DevOps engineer. For example:
I used an HTTP(S) load balancer called AWS ELB to distribute web traffic among several EC2 instances running a WordPress site with a WooCommerce plugin. I configured ELB with health checks, sticky sessions, cross-zone load balancing, and auto-scaling features to ensure high availability, scalability, and performance for my site.
I used a TCP/UDP load balancer called Cloudflare Workers API Gateway to distribute network traffic among several Cloudflare Workers running a Node.js app. I configured Workers API Gateway with caching, compression, encryption, and firewall features to optimize my app performance, security, and functionality.
I used a database load balancer called AWS DBLB to distribute database queries among several Amazon RDS instances running MySQL databases. I configured DBLB with replication, failover, scaling, and encryption features to ensure high availability, scalability, and security for my databases.
I used an application layer proxy called Apache Traffic Server to distribute application requests among several Apache web servers running PHP applications. I configured Traffic Server with transformation rules, routing rules, logging rules, and analytics features to optimize my application's performance, functionality, and visibility.
7. What is CloudFormation and why is it used?
CloudFormation is an AWS service that allows you to create and manage your AWS infrastructure using code. It uses templates that describe the resources and their dependencies that you want to provision on AWS. You can use CloudFormation to automate the creation, update, and deletion of your infrastructure in a consistent and repeatable way.
Some of the benefits of using CloudFormation are:
It saves time and effort by eliminating the need for manual tasks or scripts.
It ensures that your infrastructure is configured according to best practices and security standards.
It enables you to track and control the changes and versions of your infrastructure.
It allows you to reuse and share your templates with others.
It integrates with other AWS services and tools such as IAM, SNS, CodeDeploy, etc.
Some of the use cases of CloudFormation are:
Simplify infrastructure management: For a scalable web application that also includes a backend database, you might use an Auto Scaling group, an Elastic Load Balancing load balancer, and an Amazon Relational Database Service database instance. You might use each service to provision these resources and after you create the resources, you would have to configure them to work together. All these tasks can add complexity and time before you even get your application up and running. Instead, you can create a CloudFormation template or modify an existing one. A template describes all your resources and their properties. When you use that template to create a CloudFormation stack, CloudFormation provisions the Auto Scaling group, load balancer, and database for you. After the stack has been successfully created, your AWS resources are up and running. You can delete the stack just as easily, which deletes all the resources in the stack. By using CloudFormation, you easily manage a collection of resources as a single unit.
Quickly replicate your infrastructure: If your application requires additional availability, you might replicate it in multiple regions so that if one region becomes unavailable, your users can still use your application in other regions. The challenge in replicating your application is that it also requires you to replicate your resources. Not only do you need to record all the resources that your application requires, but you must also provision and configure those resources in each region. Reuse your CloudFormation template to create your resources in a consistent and repeatable manner. To reuse your template, describe your resources once and then provision the same resources over and over in multiple regions.
Easily control and track changes to your infrastructure: In some cases, you might have underlying resources that you want to upgrade incrementally. For example, you might change to a higher-performing instance type in your Auto Scaling launch configuration so that you can reduce the maximum number of instances in your Auto Scaling group. If problems occur after you complete the update, you might need to roll back your infrastructure to the original settings. To do this manually, you not only have to remember which resources were changed, but you also have to know what the original settings were. With CloudFormation, you can easily control and track changes to your infrastructure. You can use CloudFormation to update your stack with the new settings and monitor the progress of the update. If you need to roll back your changes, you can use CloudFormation to restore your stack to the previous state. CloudFormation records all the changes that you make to your stack and allows you to view the history of your stack updates.
8. Distinguish between AWS CloudFormation and AWS Elastic Beanstalk.
AWS CloudFormation and AWS Elastic Beanstalk are both services that help you to deploy and manage your applications on AWS. However, they have some differences in terms of scope, flexibility, and complexity.
Scope: CloudFormation can be used to create and manage any type of AWS resource, not just applications. Elastic Beanstalk is focused on deploying and managing web applications that run on EC2 instances or containers.
Flexibility: CloudFormation gives you more control and customization over your infrastructure, as you can define every detail of your resources and their dependencies using templates. Elastic Beanstalk provides a simpler and faster way to deploy your applications, as it automatically handles the provisioning, scaling, load balancing, and health monitoring of your resources.
Complexity: CloudFormation requires more knowledge and skills to use, as you need to write and maintain your templates and understand the syntax and logic of the CloudFormation language. Elastic Beanstalk is easier to use, as you only need to upload your application code and choose a platform and configuration options.
You can use both services together, as Elastic Beanstalk uses CloudFormation under the hood to create and update the resources for your application. You can also customize the CloudFormation templates that Elastic Beanstalk generates for your environment, or use your templates to create additional resources for your application.
9. Enumerate cloud security attacks and methods to minimize them.
Cloud security attacks are malicious attempts to compromise the confidentiality, integrity, or availability of your data or resources on the cloud. Some of the common types of cloud security attacks are:
Distributed denial-of-service (DDoS) attacks: These are attacks that aim to overwhelm your system with a large amount of traffic or requests, causing it to slow down or crash.
Brute force attacks: These are attacks that try to guess your credentials or keys by trying different combinations of characters or words until they find the correct one.
Man-in-the-middle (MITM) attacks: These are attacks that intercept and modify the communication between two parties, such as your browser and a web server, without their knowledge or consent.
Malware attacks: These are attacks that inject malicious software or code into your system, such as viruses, worms, trojans, ransomware, etc., that can damage, steal, or encrypt your data or resources.
Phishing attacks: These are attacks that trick you into revealing your personal or sensitive information, such as passwords, credit card numbers, etc., by sending you fake emails or websites that look legitimate.
To minimize the risk of cloud security attacks, you can use the following best practices:
Use strong and unique passwords or keys for your accounts and resources, and change them regularly.
Enable multi-factor authentication (MFA) for your accounts and resources, which requires you to provide an additional factor of verification, such as a code or a device, besides your password or key.
Encrypt your data at rest and in transit, using encryption algorithms and protocols, such as AES, SSL, TLS, etc.
Use firewalls, network ACLs, and security groups to control the inbound and outbound traffic to your resources, and allow only the necessary ports and protocols.
Use IAM roles and policies to grant the minimum required permissions to your users and resources, and follow the principle of least privilege.
Monitor and audit your activities and resources using services such as CloudTrail, CloudWatch, and GuardDuty, and detect and respond to any suspicious or anomalous behavior.
Educate yourself and your team about the common types and signs of security attacks, and how to prevent and report them.
10. Can we recover an EC2 instance if the key is lost? How?
Yes, it is possible to recover an EC2 instance if the key is lost, but it requires some steps and precautions. Different methods are depending on the type of instance and the root device type. One of the common methods is to use another EC2 instance as a recovery instance and attach the volume of the lost key instance to it. Then, you can copy the public key of the recovery instance to the authorized keys file of the lost key instance. After that, you can detach the volume from the recovery instance and reattach it to the lost key instance. You should be able to access the lost key instance using the key pair of the recovery instance. For more details and other methods, see Connect to an Amazon EC2 instance when the SSH key pair is lost.
11. Define a gateway in the AWS context.
A gateway in the AWS context is a service or a device that connects different networks, protocols, or applications. AWS offers various types of gateways for different purposes and scenarios. Some of the common types are:
API Gateway: This is a service that lets you create, publish, maintain, monitor, and secure APIs at any scale. You can use API Gateway to connect your applications to backend services, such as Lambda functions, EC2 instances, or other AWS services. API Gateway also provides features such as caching, throttling, authentication, and CORS support. For more information, see What is Amazon API Gateway?
Internet Gateway: This is a device that enables communication between your VPC and the internet. It performs network address translation (NAT) for instances that have public IPv4 addresses. An internet gateway serves as a default route for your public subnets. You can attach only one internet gateway to a VPC at a time. For more information, see Internet gateways.
NAT Gateway: This is a service that enables instances in a private subnet to connect to the Internet or other AWS services, but prevents the Internet from initiating a connection with those instances. A NAT gateway can handle up to 55,000 simultaneous connections to each unique destination. You can create one or more NAT gateways in each Availability Zone in your VPC. For more information, see NAT gateways.
Virtual Private Gateway: This is a device that enables you to establish a VPN connection between your VPC and your on-premises network. A virtual private gateway serves as a VPN concentrator on the AWS side of the VPN connection. You can attach only one virtual private gateway to a VPC at a time. For more information, see Virtual Private Gateways.
Storage Gateway: This is a service that connects your on-premises applications to AWS storage services, such as S3, Glacier, and EBS. Storage Gateway provides three types of gateways: file gateway, volume gateway, and tape gateway. Each type of gateway exposes different storage interfaces and capabilities. For more information, see What is AWS Storage Gateway?
12. Differentiate between Amazon RDS, DynamoDB, and Redshift.
Amazon RDS, DynamoDB, and Redshift are all AWS services that provide data storage and management solutions. However, they have some differences in terms of type, structure, scalability, performance, and use cases.
Type: RDS is a relational database service that supports various SQL-based database engines, such as MySQL, PostgreSQL, Oracle, etc. DynamoDB is a NoSQL database service that supports key-value and document data models. Redshift is a data warehouse service that supports SQL-based analytics and business intelligence tools.
Structure: RDS stores data in tables that have predefined columns and rows, and enforces data integrity and consistency using schemas and constraints. DynamoDB stores data in tables that have flexible attributes and items and allows schemaless and dynamic data manipulation. Redshift stores data in tables that have predefined columns and rows and optimizes data storage and retrieval using compression and distribution techniques.
Scalability: RDS scales vertically by changing the size or type of the instance that hosts the database, or horizontally by adding read replicas or shards to the database. DynamoDB scales horizontally by adding or removing partitions to the table, or vertically by changing the provisioned throughput capacity of the table. Redshift scales horizontally by adding or removing nodes to the cluster, or vertically by changing the size or type of the node.
Performance: RDS provides high performance and availability for transactional and operational workloads, such as online shopping, banking, gaming, etc. DynamoDB provides high performance and availability for non-relational and distributed workloads, such as social media, IoT, gaming, etc. Redshift provides high performance and availability for analytical and reporting workloads, such as data warehousing, business intelligence, data mining, etc.
Use cases: RDS is suitable for applications that need a relational database with ACID (atomicity, consistency, isolation, durability) properties, complex queries, joins, transactions, etc. DynamoDB is suitable for applications that need a NoSQL database with high scalability, low latency, flexible schema, etc. Redshift is suitable for applications that need a data warehouse with massively parallel processing, columnar storage, compression, etc.
13. Preference for hosting a website on S3: Yes or No? Explain your choice.
My preference for hosting a website on S3 depends on the type and requirements of the website. If the website is static, meaning it consists of only HTML, CSS, JavaScript, and image files, without any server-side processing or database interaction, then I would choose S3 as a simple, cost-effective, and reliable option. However, if the website is dynamic, meaning it requires server-side scripting, database integration, or user input, then I would not choose S3, as it does not support these features.
Some of the advantages of hosting a static website on S3 are:
It is simple and easy to set up and maintain. You just need to create a bucket, upload your files, configure your website settings, and make your bucket public. You don’t need to worry about server-side scripting, database management, or web server configuration.
It is cost-effective and scalable. You only pay for the storage space and bandwidth that you use, and you can scale up or down as needed. You can also take advantage of AWS services such as CloudFront, Lambda, and API Gateway to enhance your website performance, functionality, and security.
It is reliable and secure. Your website data is stored in durable and encrypted objects that are replicated across multiple regions for high availability. You can also use features such as versioning, lifecycle policies, access control lists (ACLs), encryption keys, etc., to protect your data from unauthorized access or loss.
Thank you for reading my blog post. I hope you found it informative and engaging.
If you liked this post, please share it with your friends and colleagues who are interested in learning more about AWS interview questions.
Also, don’t forget to subscribe to my blog for more DevOps-related content every day.
Until next time,
Happy DevOps! 😊