Top 90+ AWS Interview Questions and Answers (2024)

CTA

AWS is one of the largest cloud providers in the world. Companies like Netflix, Airbnb, McDonalds, Apple, Walt Disney, and many more Fortune 500 companies are hosted on AWS. Among all the cloud engineer jobs available in the market, the majority require AWS skills since AWS has the largest market share, and hence, its jobs are also more.

According to LinkedIn, currently there are 61000+ jobs available for AWS in India. So, if you have an upcoming AWS interview or are preparing to become a cloud engineer, this guide on AWS Interview Questions should be your last stop!

AWS as a skillset is expected from varied experience-level individuals. Hence, we have divided these AWS Interview Questions into the following categories:

Table of content

• Basic AWS Interview Questions for Freshers
• Intermediate AWS Interview Questions and Answers
• Advanced AWS Interview Questions for Experienced
• AWS Scenario-Based Interview Questions
• AWS Interview Questions for Solution Architect

1. What is the maximum number of S3 buckets you can create?
2. Why do we make subnets?
3. Is there a way to upload a file that is greater than 100 megabytes on Amazon S3?
4. When should you use the classic load balancer vs the application load balancer?
5. You accidentally stopped an EC2 instance in a VPC with an associated Elastic IP. If you start the instance again, what will be the result?
6. What are policies, and what are the different types of policies?
7. What are the different ways to encrypt a file in S3?
8. Your organization wants to send and receive compliance emails to its clients using its email address and domain. What service would you suggest for achieving the same easily and cost-effectively?

1. What is AWS, and how does it help businesses?

Amazon Web Services (AWS) is a cloud platform. Cloud platforms help businesses rent infrastructure (servers, storage, databases, etc.) rather than buy it. The pricing model cloud platforms use is Pay-as-You-Go, i.e., if you use a server for 10 days, you just pay for 10 days, or if you use it for 1 hour, you just pay for 1 hour.

This pricing model attracts businesses to cloud platforms. Rather than buying infrastructure, they use AWS’s pay-as-you-go model to launch their servers on AWS.

But pricing is not the only factor; here are a few more reasons as to why businesses prefer using a cloud platform like AWS:

1. Hardware maintenance is taken care of by AWS
2. AWS promises an SLA of 99.99% of server availability monthly
3. You can scale up or down your infrastructure as per your business needs
4. You can also automatically scale up / down (autoscaling) the number of servers based on the traffic coming to your application or the CPU usage.
5. You will never run out of storage; you can scale up or down your storage requirements in real-time.

2. What is the Shared Responsibility Model of AWS?

The Shared Responsibility Model in AWS is a framework that defines the security and compliance responsibilities between AWS and the customer using the AWS services.

Take the example of renting a house; as a tenant, you must lock the doors while leaving, ensure all electrical appliances are off when unused, etc., and pay rent on time.

As an owner, you must get anything old repaired, such as leaking pipes or faulty geysers or lights, pay security maintenance, pay property taxes, etc.

Similarly, when you use AWS infrastructure, the responsibility for its security is shared between AWS and the customers.

AWS Responsibilities include:

1. Physical Security: AWS ensures the security of the hardware, data center, etc.
2. Network Security: Ensure the security of hardware components of the network, such as routers, switches, etc.
3. Virtualisation: AWS ensures the security of underlying hardware, software and networks that support virtualisation.
4. Compliance: AWS ensures certifications and compliances like ISO 27001, PCI DSS etc.

Customer’s responsibilities:

• Application Security
• Network Configuration
• Data Encryption
• Customer Data
• Identity and Access Management

Source: AWS Official Documentation

3. What is the relation between Availability Zone and Regions?

Regions and Availability Zones are the building blocks of the AWS Global Infrastructure.

Let’s understand them one by one:

1. Regions: AWS Cloud Services are available worldwide at various strategic locations across continents. Each continent/country/area where AWS infrastructure is present is called a region, and each region has multiple availability zones. 
2. Availability Zone: Availability Zones exist within an AWS Region. Each availability zone has one or more data centres and is connected to one another with low latency, high throughput, and highly redundant networking.

The image below depicts how regions and availability zones are related.

Source: AWS Documentation

4. What is an EC2 instance?

An EC2 (Elastic Compute Cloud) is an AWS server. Elastic in the name of EC2 means scalable. You can increase or decrease the number of EC2 machines (Horizontal Scaling) or increase or decrease the configuration of an EC2 instance (Vertical Scaling). Hence, the name EC2.

 This server has a lot of configurable properties, like:

1. Configuration: You can decide the size of an EC2 instance, such as how many CPU cores and how much memory is required for the server
2. Storage: You can decide the size of the hard drive (EBS) and the type of the hard drive (SSD, Premium SSD, etc.)
3. Network: You need to deploy an EC2 instance inside a VPC. You can customise the properties of the VPC as per your needs.
4. Firewall: You can customise the inbound and outbound rules to your EC2 instance via Security Groups.

5. Explain VPC and its components in AWS

Virtual Private Cloud (VPC) is a networking service in AWS that helps configure the network properties for the resources that will be deployed inside it.

In the image below, you can see the essential components of a VPC:

Source: AWS Documentation

Let’s understand them one by one: 

There are various components of VPC; let’s understand them in chronological order as per the image:

1. Virtual Private Cloud: A VPC is the top-most network layer in AWS. Almost all the resources in AWS are deployed inside a VPC. 
2. Subnets: Inside VPCs, you have to create subnets. Any resource that has to be deployed inside a VPC has to be deployed inside a subnet. Each subnet can be associated with one or more availability zones. Subnets can be connected to each other via Route Tables. Subnets can be of two types:
   • Public Subnet: A public subnet is a subnet that has inbound and outbound access to the Internet. A web application, for example, is deployed inside a public subnet since it needs to be accessed over the Internet.
   • Private Subnet: A subnet without internet access is called a private subnet. For example, a database server does not need internet access; it just needs to communicate with a web server. Therefore, it is deployed inside a private subnet to protect it from unwanted cyber attacks from the internet.
3. Internet Gateway: Whenever we want to give internet access to a subnet, we attach an internet gateway to it. As the name suggests, an internet gateway provides the internet’s inbound and outbound access to the subnet. In other words, if you want to create a public subnet, simply attach an internet gateway.
4. NAT Gateway: A NAT Gateway is a special gateway that can help private subnets get outbound internet access by relaying requests via the public subnet. With this approach, a NAT Gateway forwards the request to the public subnet’s internet gateway, through which resources/servers in the private subnet can browse the internet but not get any inbound requests.
5. Elastic IP: An elastic IP address is a static IP address that does not change when a machine’s state changes.For example, when you stop an EC2 instance, the public IP address attached to it is detached. When the EC2 machine is again turned on, a random new public IP address will be attached. However, if you want the IP address to remain the same, no matter what the machine’s state is, you can attach an Elastic IP address to it.
6. Route Tables: Route Tables help you define how traffic within a VPC travels. Each table has a target and a destination. For example, an Internet Gateway to connect to the Internet has a route defined in the route table. The target will be the Internet gateway, and the destination will be 0.0.0.0/0, which means any IP address.

6. Why do we make subnets?

Subnets can be imaged as sub-parts of a network; creating subnets are helpful in a lot of ways. Let’s discuss them one by one:

1. Isolation of Resources: Subnets are a great way to isolate resources in your AWS infrastructure based on their properties. For example, you can isolate database servers from the internet and only grant internet access to your web servers.
2. Control Network Traffic: Subnets can be used to control network traffic on your AWS resources. This is accomplished using NACLs, which act as a firewall for each subnet. You can customize the network for each of your subnets separately.
3. High Availability: Subnets can be deployed in multiple availability zones, then you can choose how your servers scale across different subnets, ensuring outage in one AZ does not affect resources deployed in other AZs via different subnets.
4. Efficient Private IP allocation: You can divide your subnets into IP address ranges (CIDR blocks) of manageable chunks.
5. Segmentation by Use Case: You can segment the division of your AWS resources via subnets.

7. Is there a way to upload a file that is greater than 100 megabytes on Amazon S3?

Yes, we can upload files up to 5 GB in size. However, for files that are greater than 100 MB, AWS recommends using the multi-part upload method. In this method, files are broken into chunks and uploaded parallelly. This can boost upload speeds and efficiency.

For files less than 100 MB, a single-put method works; however, for files greater than 100 MB and using Single PUT method, you may encounter timeout issues or failures during the upload.

8. When should you use the classic load balancer vs the application load balancer?

9. How many total VPCs per account/region and subnets per VPC can you have?

We can have a total of 5 VPCs for every account/region and 200 subnets for every VPC that you have. However, if you need more VPCs or subnets, you can request a quota increase from AWS support; you can get your VPC limit increased to 1000 VPCs per region, and you can similarly request an increased subnet limit.

10. Your organization has decided to have all its workloads on the public cloud. But, due to certain security concerns, your organization has decided to distribute some of the workload on private servers. You are asked to suggest a cloud architecture for your organization. What will your suggestion be?

A hybrid cloud

The hybrid cloud architecture is where an organization can use the public cloud for shared resources and the private cloud for confidential workloads.

11. What is the name of Amazon's Content Delivery Network?

Amazon CloudFront is a CDN service that is used in AWS. It helps deliver static content to the end-user through the nearest available server, hence reducing latency.

12. How will you configure an Amazon S3 bucket to serve static assets for your public web application?

For serving static assets to your public web application, you have to uncheck the “disable all public access” option of the bucket while creating it.

13. What is Snowball?

Snowball is an application designed for transferring terabytes of data into and outside of the AWS cloud. It uses secured physical storage to transfer the data. Snowball is considered a petabyte-scale data transport solution that helps with cost and time savings.

14. What is AWS?

AWS (Amazon Web Services) is a cloud platform. Like any other cloud platform, AWS helps you to rent high-end servers at a per-hour or per-second basis without the need of buying them. It provides servers for various use cases such as database, compute, content delivery, etc. which can help businesses scale without investing a lot of money in IT infrastructure.

15. What is the difference between Spot Instances and On-demand Instances?

Both Spot Instances and On-demand Instances are pricing models.

16. What is the maximum number of S3 buckets you can create?

The maximum number of S3 buckets that can be created is 100. However, if you need more buckets, you can request AWS support for an increase in S3 bucket quota and increase the limit up to 1000 buckets per account.

17. How can you save the data on root volume on an EBS-backed machine?

Two scenarios can happen with an EBS-backed machine:

1. Shutting down the machine: Data persists when you shut down an EBS-backed machine.
2. Terminating the machine: On termination of an EC2 instance, the EBS also automatically gets deleted. To save the data, you can take a snapshot of the instance before terminating the EC2 machine.

18. Which one of the storage solutions offered by AWS would you use if you need extremely low pricing and data archiving?

AWS Glacier is an extremely low-cost storage service offered by Amazon that is used for data archiving and backup purposes. The longer you store data in Glacier, the less it will cost you.

19. You have connected four instances to ELB. To automatically terminate your unhealthy instances and replace them with new ones, which functionality would you use?

Auto-scaling groups

20. The data on the root volumes of instance store-backed and EBS-backed instances gets deleted by default when they are terminated. If you want to prevent that from happening, which instance would you use?

We should use EBS-backed instances for this use case. Although by default if we terminate EBS-backed instances, the EBS volume gets deleted, this can be modified by disabling the ‘delete on termination’ option while creating the EC2 instance.

21. What is CloudWatch?

The Amazon CloudWatch is used for monitoring and managing data and getting actionable insights for AWS, on-premise applications, etc. It helps you monitor your entire task stack, which includes the applications, infrastructure, and services. Apart from this, CloudWatch also assists you in optimizing your resource utilization and cost by providing analytics-driven insights.

22. What is Elastic Transcoder?

In the AWS cloud, the Elastic Transcoder is used for converting media files into versions that can be run/played on devices such as tablets, PCs, smartphones, etc. It consists of advanced transcoding features with conversion rates starting from $ 0.0075 per minute.

23. What does an AMI include?

AMI stands for Amazon Machine Images. It includes the following:

• Single or multiple Amazon Elastic Block Store (Amazon EBS) snapshots. Templates for the root volume of the instance.
• Launch permissions that let AWS accounts use AMI to launch instances.
• A block device mapping specifies what volumes are to be attached to the instance during its launch.

24. What are the storage classes available in Amazon S3?

The following storage classes are available in Amazon S3:

• S3 Standard: It is by and large the default storage class. In cases where no specification about the storage class is provided while uploading the object, Amazon S3 assigns the S3 Standard storage class by default.
• Reduced Redundancy: It is assigned when non-critical, reproducible data needs to be stored. The Reduced Redundancy Storage class is designed in a way that the above data categories can be stored with less redundancy.

However, it is always advisable to go ahead with the S3 standard storage class.

25. You accidentally stopped an EC2 instance in a VPC with an associated Elastic IP. If you start the instance again, what will be the result?

Elastic IP will only be disassociated from the instance if it’s terminated. If it’s stopped and started, there won’t be any change to the IP address, and the IP address will remain the same. However, elastic IP addresses, when disassociated or attached to a stop instance, are chargeable.

26. Your organization wants to send and receive compliance emails to its clients using its email address and domain. What service would you suggest for achieving the same easily and cost-effectively?

Amazon Simple Email Service (Amazon SES), which is a cloud-based email-sending service, can be used for this purpose.

27. Can you launch Amazon Elastic Compute Cloud (EC2) instances with predetermined private IP addresses? If yes, then with which Amazon service is it possible?

Yes. It is possible by using VPC (Virtual Private Cloud). In VPC, while creating subnets, it is possible to define a CIDR range for the private IP addresses. You can also specify the private IP address of the instance from this CIDR range while deploying the EC2.

28. If you launch a standby RDS, will it be launched in the same availability zone as your primary?

No, standby instances are automatically launched in different availability zones than the primary, making them physically independent infrastructures. This is because the whole purpose of standby instances is to prevent infrastructure failure. So, in case the primary goes down, the standby instance will help recover all of the data.

29. Which Amazon solution will you use if you want to accelerate moving petabytes of data in and out of AWS using storage devices that are designed to be secure for data transfer?

Amazon Snowball

AWS Snowball is the data transport solution for large amounts of data that need to be moved into and out of AWS using physical storage devices. It can be useful when moving petabyte scale data because the cost of transporting the data physically via snowball devices is a lot cheaper than transferring them over the internet and is a faster tool.

30. If you are running your DB instance as a multi-AZ deployment, can you use standby DB instances along with your primary DB instance?

No, the standby DB instance cannot be used along with the primary DB instances since the standby DB instances are supposed to be used only if the primary instance goes down.

31. Your organization is developing a new multi-tier web application in AWS. Being a fairly new and small organization, there’s limited staff. However, the organization requires high availability. This new application comprises complex queries and table joins. Which Amazon service will be the best solution for your organization’s requirements?

Well, the best service that can help you in the above use case is Amazon RDS. Here are a few reasons for the same:

1. Supports Complex Queries and Joins: Amazon RDS is a managed service that manages relational databases like MySQL, Postgres DB, etc. They are ideal for handling complex queries and table joins.
2. Automated Workflows: With limited staff in the company, you can still get things like automated backups, security patches, database maintenance, etc. All of these tasks, which ideally require a database team, are automatically managed by AWS.
3. High Availability and Fault Tolerance: AWS RDS has features like Multi-AZ deployment, Master-Slave Architecture, Multi-Master Architecture, etc. These architectures and features offer you high availability and fault tolerance.
4. Scalability: As your application grows, you can also scale the size of your DB instances.

32. Your organization has around 50 IAM users. Now, it wants to introduce a new policy that will affect the access permissions of an IAM user. How can it implement this without having to apply the policy at the individual user level?

It is possible to use AWS IAM groups by adding users to the groups as per their roles and by simply applying the policy to the groups.

33. Your organization is using DynamoDB for its application. This application collects data from its users every 10 minutes and stores it in DynamoDB. Then every day, after a particular time interval, the data (respective of each user) is extracted from DynamoDB and sent to S3. Then, the application visualizes this data for the users. You are asked to propose a solution to help optimize the backend of the application for a low latency at a lower cost. What would you recommend?

Since we want to reduce latency, we have to introduce a caching system. Amazon ElastiCache is a caching solution offered by Amazon that is cost-effective and has competitive costs. Below is the architecture for the same.

It can be used to store a cached version of the application in a region closer to users so that when requests are made by the users, the cached version of the application can respond, and hence latency will be reduced.

34. You created a web application with autoscaling. You observed that the traffic on the application is the highest on Wednesdays and Fridays between 9 AM and 7 PM. What would be the best solution for you to handle the scaling?

Configure a policy in autoscaling to scale as per the predictable traffic patterns.

35. How would you handle a situation where the relational database engine crashes often whenever the traffic to your RDS instances increases, given that the replica of the RDS instance is not promoted as the master instance?

A bigger RDS instance type needs to be opted for handling large amounts of traffic and creating manual or automated snapshots to recover data in case the RDS instance goes down.

36. You have an application running on your Amazon EC2 instance. You want to reduce the load on your instance as soon as the CPU utilization reaches 80 percent. How will you do that?

It can be done by creating an autoscaling group to deploy more instances when the CPU utilization exceeds 80 percent.

37. What would I have to do if I wanted to access Amazon Simple Storage buckets and use the information for access audits?

AWS CloudTrail can be used in this case as it is designed for logging and tracking API calls, and it has also been made available for storage solutions.

38. You created a key in the North Virginia region to encrypt my data in the Oregon region. You also added three users to the key and an external AWS account. Then, to encrypt an object in S3, when you tried to use the same key, it was not listed. Where did it go wrong?

The data and the key should be in the same region. That is, the data that has to be encrypted should be in the same region as the one in which the key was created. In this case, the data is in the Oregon region, whereas the key was created in the North Virginia region.

39. You have been onboarded as a Cloud Engineer recently in a company called XYZ. The current application setup was a monolithic application; it has two functions: image processing and general website hosting. You have segregated these applications into 2 applications based on the workload. Which Load Balancer will you use to distribute the traffic among servers based on the request being made?

• Classic Load Balancer
• Application Load Balancer
• Network Load balancer

Application Load Balancer: It supports path-based routing of the traffic and hence helps in enhancing the performance of the application structured as smaller services.

Using an application load balancer, the traffic can be routed based on the requests made. In this scenario, the traffic where requests are made for rendering images can be directed to the servers only deployed for rendering images, and the traffic where requests are made for computing can be directed to the servers deployed only for general computing purposes.

40. Suppose you create a subnet and launch an EC2 instance in the subnet with default settings. Which of the following options will be ready to use on the EC2 instance as soon as it is launched?

• Elastic IP
• Private IP
• Public IP
• Internet Gateway

Private IP

Private IP is mandatory while creating a subnet. Adding an internet gateway, public IP or elastic IP address, is optional. Hence, by default, any EC2 instance that will be deployed in a subnet with a default setting will have a private IP address inside them.

41. Your organization has four instances for production and another four for testing. You are asked to set up a group of IAM users that can only access the four production instances and not the other four testing instances. How will you achieve this?

We can achieve this by defining tags on the test and production instances and then adding a condition to the IAM policy that allows access to specific tags.

42. Your organization wants to monitor the read-and-write IOPS for its AWS MySQL RDS instance and then send real-time alerts to its internal operations team. Which service offered by Amazon can help your organization achieve this scenario?

Amazon CloudWatch would help us achieve this. Since Amazon CloudWatch is a monitoring tool offered by Amazon, it’s the right service to use in the above-mentioned scenario.

43. Which of the following services can be used if you want to capture client connection information from your load balancer at a particular time interval?

• Enabling access logs on your load balancer
• Enabling CloudTrail for your load balancer
• Enabling CloudWatch metrics for your load balancer

Enabling CloudTrail for your load balancer

AWS CloudTrail is an inexpensive log monitoring solution provided by Amazon. It can provide logging information for load balancers or any other AWS resources. The provided information can be further used for analysis.

44. You have created a VPC with private and public subnets. In what kind of subnet would you launch the database servers?

Database servers should be ideally launched on private subnets. Private subnets are ideal for the backend services and databases of all applications since they are not meant to be accessed by the users of the applications, and private subnets are not routable from the internet.

45. Is it possible to switch from an instance-backed root volume to an EBS-backed root volume at any time?

It’s not possible directly, but we can take a snapshot of the instance and create an AMI. Further, we will use this AMI to launch an instance that will have an EBS-backed root volume.

46. Can you change the instance type of the instances that are running in your application tier and are also using autoscaling? If yes, then how? (Choose one of the following)

• Yes, by modifying autoscaling launch configuration
• Yes, by modifying autoscaling tags configuration
• Yes, by modifying autoscaling policy configuration
• No, it cannot be changed

Yes, the instance type of such instances can be changed by modifying the autoscaling launch configuration.

47. How can I directly connect my company’s data center to AWS servers without using the internet?

Amazon Direct Connect

It is an AWS networking service that acts as an alternative to using the Internet to connect customers in on-premise sites with AWS.

48. You have deployed multiple EC2 instances across multiple availability zones to run your website. You have also deployed a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small read and write operations per second. After some time, you observed that there is read contention on RDS MySQL. What would be your approach to resolving the contention and optimizing your website?

The read contention problem can be solved in various ways:

1. Read Replicas: Read replicas are copies of the database, but these replicas can only be used to read the data. There are multiple such replicas that can be deployed in various AZs. These can take the load off from the main server, where only write operations will be directed.

2. Optimizing Database: Apart from read replicas, it will be helpful to optimize the database as well, following operations can be helpful:

1. • Index Optimisation
   • Query Optimisation
   • Database Configuration Tuning

3. Implement a Caching Mechanism: You can use Amazon ElastiCache to create a caching mechanism that can further improve performance by caching frequently accessed data.

49. Your company wants you to propose a solution so that the company’s data center can be connected to the Amazon cloud network. What would your proposal be?

You can use AWS DirectConnect for this. DirectConnect allows you to directly connect to the Amazon Datacenter using a leased line. For this, you don’t require an internet connection.

50. Which service offered by Amazon will you choose if you want to collect and process e-commerce data for near real-time analysis? (Choose any two)

• DynamoDB
• Redshift
• Aurora
• SimpleDB

DynamoDB

DynamoDB is a fully managed NoSQL database service that can be fed any type of unstructured data. Hence, DynamoDB is the best choice for collecting data from e-commerce websites. For near-real-time analysis, we can use Amazon Redshift.

51. If in CloudFront the content is not present at an edge location, what will happen when a request is made for that content?

CloudFront will deliver the content directly from the origin server. It will also store the content in the cache of the edge location where the content was missing. Any further requests that come will be then routed to the edge location.

52. Can you change the private IP address of an EC2 instance while it is running or in a stopped state?

No, it cannot be changed. When an EC2 instance is launched, a private IP address is assigned to that instance at boot time. This private IP address is attached to the instance for its entire lifetime and can never be changed.

53. Which of the following options will you use if you have to move data over long distances using the Internet, from instances that are spread across countries to your Amazon S3 bucket?

• Amazon CloudFront
• Amazon Transfer Acceleration
• Amazon Snowball
• Amazon Glacier

Amazon Transfer Acceleration

It throttles the data transfer up to 300 percent using optimized network paths and Amazon Content Delivery Network. Snowball cannot be used here as this service does not support cross-region data transfer.

54. Which of the following services is a data storage system that also has a REST API interface and uses secure HMAC-SHA1 authentication keys?

• Amazon Elastic Block Store
• Amazon Snapshot
• Amazon S3

Amazon S3

It gets various requests from applications, and it has to identify which requests are to be allowed and which are to be denied. Amazon S3 REST API uses a custom HTTP scheme based on a keyed HMAC for the authentication of requests.

55. What are the native AWS security logging capabilities?

The native AWS security logging capabilities include AWS CloudTrail, AWS Config, AWS detailed billing reports, Amazon S3 access logs, Elastic load balancing access logs, Amazon CloudFront access logs, Amazon VPC Flow logs, etc. To learn about native AWS security logging capabilities in detail, click here.

56. What kind of IP address can you use for your customer gateway (CGW) address?

We can use the Internet routable IP address, which is a public IP address of your NAT device.

57. A company has a running web application server in the N. Virginia region, and the server has a large EBS volume of approximately 500 GB. The company needs to migrate the server from the current region to another AWS account’s Mumbai location. Which is the best way to migrate the server from the current location to the Mumbai region?

Following are the steps that you need to follow:

1. Open your EC2 console, where the web application server is present, and create an AMI from it.
2. Then go to the AMI section in EC2 console and select your newly created AMI.
3. Click on Actions > Modify Image Permissions
4. Add the 12-digit destination AWS account ID to the list of accounts with launch permission of this AMI.
5. Finally, click on Save.

Now, on the destination AWS account, open the Mumbai region and follow the below steps:

1. Open the AMIs section in the EC2 dashboard.
2. Click on Private Images.
3. Find and select the shared AMI from the previous AWS account.
4. Copy the AMI.
5. Use it to launch the EC2 instance.

58. In AWS, three different storage services are available, such as EFS, S3, and EBS. When should I use Amazon EFS vs. Amazon S3 vs. Amazon Elastic Block Store (EBS)?

59. Which instance types support EBS Multi-Attach?

The instance type should be EC2 Nitro-based instances and Provisioned IOPs io1 multi-attach EBS volumes.

60. A company currently operates a web application backed by an Amazon RDS MySQL database. It has automated backups that are run daily and are not encrypted. A security audit requires future backups to be encrypted and unencrypted backups to be destroyed. The company will make at least one encrypted backup before destroying the old backups. What should be done to enable encryption for future backups?

Since the current DB is not encrypted, we will have to re-launch the DB with the option of encryption enabled. Here is how you can do it.

1. Take a snapshot of the current database.
2. Go to the snapshot and select it, and click on Actions > Copy Snapshot.
3. In the Copy Snapshot dialog box, select the Encryption option.
4. Your new Snapshot will now be encrypted.

61. A company is going to launch one branch in the UK and needs to continue with its existing main branch in the USA. The company has almost 15 GB of data, which is stored in an S3 bucket in the Ohio region, and data is stored with the default storage class. The company wants to provide its updated and stored data in the London S3 bucket, also using one zone accessibility storage class to save storage costs. In addition, the company also wants the data to be updated automatically in S3’s London bucket if any data is modified or written in the S3 bucket in Ohio. How can this be achieved?

Configure the Cross Region Replication Rule in the Ohio region bucket and select the destination bucket in the London region to replicate the data and store it in the destination using one zone IA storage class to save cost.

62. You have an application running on an EC2 instance. You need to reduce the load on your instance as soon as the CPU utilization reaches 80 percent. How will you accomplish the job?

It can be done by creating an autoscaling group to deploy more instances when the CPU utilization of the EC2 instance exceeds 80 percent and distributing traffic among instances by creating an application load balancer and registering EC2 instances as target instances.

63. A client reports that they wanted to see an audit log of any changes made to AWS resources in their account. What can the client do to achieve this?

Enable AWS CloudTrail logs to be delivered to an Amazon S3 bucket.

64. What do you understand by VPC?

VPC is the abbreviated form of Virtual Private Cloud. It is basically a virtual network service through which you can create logically isolated networks, sub-networks (subnets), firewalls (security groups), etc.

It is highly customizable and can help you to isolate AWS resources in an effective way.

65. What are key pairs?

Key pairs, as the name suggests, are a pair of keys, namely a private key and a public key. Each public key matches with a unique private key. When we use AWS and deploy EC2 instances, the public key is stored on the EC2 instance, and the private key is available to the user. While connecting to the EC2 instance, we have to attach the private key in the auth request; if the private key matches the public key in the server, the user will get authenticated.

66. What are policies, and what are the different types of policies?

Policies define the permissions required to execute an operation, irrespective of the method used to perform it. AWS supports six types of policies:

• Identity-based policies
• Resource-based policies
• Permissions boundaries
• Organizations SCPs
• ACLs
• Session policies

1. Identity-based policies – These are JSON permissions policy documents that control what actions an identity can perform, under what conditions, and on which resources. These policies are further classified into 2 categories:

• • Managed Policies: These policies are standalone identity-based policies that can be attached to different users and groups in your AWS environment.
  • Inline policies: These policies are directly attached to a single user, group, or role. In situations where inline policies are used, a strict one-to-one relationship between a policy and an identity is maintained.

2. Resource-based policies – These policies are the ones attached to a resource such as an Amazon S3 bucket. They define which actions can be performed on the particular resource and under what circumstances.
3. IAM permissions boundaries – They refer to the maximum level of permissions that identity-based policies can grant to a specific entity.
4. Service Control Policies (SCPs) – SCPs are the maximum level of permissions for an organization or organizational unit.
5. Access Control lists – They define and control which principals in another AWS account can access the particular resource.
6. Session policies – They are advanced policies that are passed as a parameter when a temporary session is programmatically created for a role or federated user.

67. Which of the following is not an option in security groups?

• List of users
• Ports
• IP addresses
• List of protocols

List of Users

68. You launched a Windows 2019 IIS server in the Ohio region and deployed a dynamic website in this server. In addition, the webserver is also connected with a backend MS-SQL server to store and access data related to the application. Your users were able to access the website over the Internet. The next day your client informed you that they were able to access the website but weren’t able to ping the server from the internet. To ensure the ICMP rule in the Security Group, you checked, and the Security Group had allowed the rule from 0.0.0.0/0. Would you try to help troubleshoot the issue?

If the client can access the website from his/her end, it means the connection is perfect and there is no issue with connectivity, and the Security Group configuration also seems correct.

We can check the internal firewall of the Windows 2019 IIS server. If it is blocking ICMP traffic, we should enable it.

69. What is AWS Glue?

AWS Glue is a data integration service offered by Amazon that makes it easy to discover, prepare, move, and transform your data for analytics and application development.

70. In AWS Glue, how do you enable and disable a trigger?

You can execute the below commands to start or stop the trigger using the AWS CLI.

• aws glue start-trigger –name MyTrigger
• aws glue stop-trigger –name MyTrigger

71. What is a connection in AWS Glue?

Connection in AWS Glue is a service that stores information required to connect to a data source such as Redshift, RDS, S3, or DynamoDB.

72. How can you start an AWS Glue workflow run using AWS CLI?

Using the start-workflow-run command of AWS CLI and passing the workflow name, one can start the Glue workflow.

73. What data sources does AWS Glue support?

AWS Glue can integrate with more than 80 data sources on AWS, on-premises, and on other clouds. The service natively supports data stored in the following databases in your Amazon Virtual Private Cloud (Amazon VPC) running on Amazon Elastic Compute Cloud (Amazon EC2):

• Amazon Aurora
• Amazon RDS for MySQL
• Amazon RDS for Oracle
• Amazon RDS for PostgreSQL
• Amazon RDS for SQL Server
• Amazon Redshift
• Amazon DynamoDB
• Amazon S3
• MySQL, Oracle, Microsoft SQL Server, and PostgreSQL

74. What programming language can we use to write my ETL code for AWS Glue?

We can use either Scala or Python.

75. Can we write custom code in AWS Glue?

Yes. We can write your code using the AWS Glue ETL library.

76. How do we monitor the execution of my AWS Glue jobs?

AWS Glue provides the status of each job and pushes all notifications to CloudWatch.

77. Explain what S3 is.

S3 stands for Simple Storage Service. It is an object-based storage service on AWS. It is a pay-as-you-go service with the help of which you can store and extract any amount of data at any time from anywhere on the web.

78. What is the Replication Rule feature supported by AWS S3?

Amazon S3 offers a lot of useful features. One of the features is the Replication Rule feature, which allows users to replicate the data to a secondary region.

79. What are the different ways to encrypt a file in S3?

To encrypt a file in Amazon S3, users need to choose an appropriate encryption option. AWS S3 offers multiple encryption options such as:

• Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3)
• Server-Side Encryption with AWS Key Management Service (SSE-KMS)
• Server-Side Encryption with Customer-Provided Keys (SSE-C)
• Client-Side Encryption

80. What is static website hosting in S3?

Static website hosting in S3 is a feature that allows users to host static web content directly from an S3 bucket.

81. Is there any way to restore the deleted S3 objects?

Yes, you can restore the deleted S3 objects easily if you have a versioning enabled in the bucket.

82. How will you configure an Amazon S3 bucket to serve static assets for your public web application?

You can follow the below steps:

1. Create a bucket with a suitable name with default settings.
2. Later, go to settings of the bucket, disable ‘Block all Public access’.
3. Click on Save Changes.
4. Now go to the properties tab.
5. Scroll to “Static Website Hosting” section.
6. Edit and select the “enable” option.
7. Update the suitable html file names for the home page and error page.
8. Click on Save Changes.
9. After enabling the static website option, you will get the link for accessing the static website.

83. What is an S3 general-purpose bucket?

A bucket is a container for objects stored in Amazon S3, and you can store any number of objects in a bucket. General purpose buckets are the original S3 bucket type, and a single general purpose bucket can contain objects stored across all storage classes except S3 Express One Zone. They are recommended for most use cases and access patterns.

84. How is Amazon S3 data organized?

Amazon S3 is a simple key-based object store. When you store data, you assign a unique object key that can later be used to retrieve the data. Keys can be any string, and they can be constructed to mimic hierarchical attributes. Alternatively, you can use S3 Object Tagging to organize your data across all of your S3 buckets and/or prefixes.

85. What is Amazon EC2?

Elastic Cloud Compute (EC2) is a cloud computing service provided by Amazon Web Services (AWS) that is used for hosting applications in the cloud.

86. What is a Security Group in Amazon EC2?

Amazon Security Groups control both inbound and outbound traffic, acting like a virtual firewall for your EC2 instances.

87. Explain Stop vs. Terminate an Amazon EC2 instance.

Both stopping and terminating the Amazon EC2 instance have their purpose and consequences.

88. What is the use of regions and availability zones in Amazon EC2 configuration?

Regions are physical locations/ areas where AWS data centers are present. In regions there are multiple availability zones. Each availability zone has an AWS datacenter.

To summarize, AWS regions have multiple availability zones. Each availability zone has an AWS datacenter.

89. What is a placement group in EC2?

By placing EC2 instances in a placement group, we can optimize the network performance and achieve higher levels of throughput. Placement groups can be created within a single AZ. The instances in a placement group are placed closer physically, which enables the high network performance and throughput.

90. You want to modify the security group rules while it is being used by multiple EC2 instances. Will you be able to do that? If yes, will the new rules be implemented on all previously running EC2 instances that were using that security group?

Yes, the security group that is being used by multiple EC2 instances can be modified. The changes will be implemented immediately and applied to all the previously running EC2 instances without restarting the instances.

91. What is AWS SNS?

Amazon Simple Notification Service (SNS) is a fully managed push notification service that sends messages to mobile and other distributed systems.

92. What are the different types of load balancers in EC2?

There are 4 types of load balancers in EC2.

• Application Load Balancer (ALB)
• Network Load Balancer (NLB)
• Classic Load Balancer (CLB)
• Gateway Load Balancer (GWLB)

93. What is AWS CloudFormation?

AWS CloudFormation is an IaC (Infrastructure as Code) service offered by AWS so that you can deploy your infrastructure redundantly with the help of a code (json or Yaml).

94. What would I have to do if I wanted to access Amazon Simple Storage buckets and use the information for access audits?

AWS CloudTrail can be used in this case as it is designed for logging and tracking API calls, and it has also been made available for storage solutions.

95. What are the native AWS security logging capabilities?

The native AWS security logging capabilities include AWS CloudTrail, AWS Config, AWS detailed billing reports, Amazon S3 access logs, Elastic load balancing access logs, Amazon CloudFront access logs, Amazon VPC Flow logs, etc.

96. What is the difference between stateful and stateless filtering?

Stateful filtering evaluates the origin IP address for any request coming to your server, whereas stateless filtering evaluates both the origin and the destination IP address.

97. What are the internet gateways in VPC?

Internet gateways are components that allow resources within your VPC to communicate to and from the Internet.

98. What is an Elastic IP address?

Elastic IP addresses are static public IP addresses that are attached to an AWS instance so that its IP address doesn’t change. Usually, public IP addresses change after stopping the instance or terminating the instance. But when we create an Elastic IP address, even if AWS servers are terminated or stopped, these IP addresses are still available in the console and can be attached to other AWS servers.

99. Can I monitor the network traffic in my VPC?

Yes. You can use Amazon VPC traffic mirroring and Amazon VPC flow logs features to monitor the network traffic in your Amazon VPC.