AWS interviews test more than cloud trivia. Interviewers want to see how you reason about trade-offs — cost vs. performance, scalability vs. simplicity, managed vs. self-managed. This guide covers 10 questions that appear frequently across cloud engineer, DevOps, and backend roles, with sample answers and notes on what separates a strong candidate from a forgettable one.
The 10 Most Common AWS Interview Questions
1. What is the difference between EC2, Lambda, and ECS?
This is a compute-model question. Each service targets a different workload shape:
| Service | Model | Best for |
|---|---|---|
| EC2 | Virtual machines you manage | Long-running workloads, custom OS/runtime needs |
| Lambda | Serverless functions, billed per invocation | Event-driven tasks under 15 minutes |
| ECS | Managed container orchestration | Containerized services needing more control than Lambda |
Junior answer: "Lambda is serverless and cheaper; EC2 is more powerful."
Senior answer: "It depends on the usage pattern. Lambda is ideal when you have bursty, short-lived compute — you pay nothing at idle. EC2 makes sense when you need a persistent process, specific OS configuration, or GPU access. ECS sits in between: you get container portability without managing Kubernetes, but you still choose the underlying compute (EC2 or Fargate). If I'm building a data pipeline triggered by S3 events, Lambda. If I'm running a stateful background worker, ECS on Fargate."
2. What are S3 storage classes and when do you use each?
Amazon S3 offers multiple storage tiers. The right choice depends on how often you access the data and how quickly you need it.
| Storage Class | Use Case |
|---|---|
| Standard | Frequently accessed data |
| Standard-IA | Infrequent access, millisecond retrieval |
| One Zone-IA | Infrequent access, tolerate AZ failure |
| Glacier Instant | Archives needing millisecond retrieval |
| Glacier Flexible | Archives with 1–12 hour retrieval |
| Glacier Deep Archive | Long-term compliance, 12+ hour retrieval |
| Intelligent-Tiering | Unknown or changing access patterns |
Interviewers look for cost awareness here. S3 storage is cheap, but retrieval fees from Glacier can surprise teams that haven't modeled their access patterns.
3. Explain IAM roles vs. IAM policies
IAM (Identity and Access Management) is a favorite interview topic because misconfigured IAM is how breaches happen.
- IAM policy: a JSON document that defines what actions are allowed or denied on which resources.
- IAM role: an identity that AWS services (EC2, Lambda, ECS tasks) can assume to gain temporary permissions. Roles carry policies; they do not have permanent credentials.
Senior tip: Interviewers want to hear the phrase "least privilege." A strong answer explains *why* you avoid long-lived access keys (they can leak) and prefer roles (temporary credentials, auto-rotated by AWS STS). Mentioning permission boundaries or AWS Organizations service control policies (SCPs) signals senior depth.
4. What is a VPC, and how do subnets and security groups work together?
A Virtual Private Cloud (VPC) is your isolated network inside AWS. Think of it as your own data center within AWS infrastructure.
- Subnets divide the VPC by availability zone and access level. *Public subnets* have a route to an Internet Gateway; *private subnets* do not.
- Security groups are stateful firewalls attached to resources (EC2, RDS, Lambda in VPC). Rules are additive — there is no explicit deny; anything not allowed is blocked.
- Network ACLs are stateless and apply at the subnet level — each rule needs an inbound and outbound counterpart.
A typical three-tier app runs the load balancer in a public subnet, application servers in private subnets, and RDS in isolated subnets with no outbound internet route at all.
5. RDS vs. DynamoDB — how do you choose?
This is a trade-off question, not a "which is better" question.
| Factor | RDS (Postgres/MySQL/etc.) | DynamoDB |
|---|---|---|
| Data model | Relational, joins, ACID transactions | Key-value / document, eventual or strong consistency |
| Scaling | Vertical + read replicas | Horizontal, auto-scaling |
| Query flexibility | Full SQL | Access patterns must be designed upfront |
| Cost model | Provisioned instance | Per request + storage |
The honest senior answer: "If the team already knows SQL and the data is relational, start with RDS. DynamoDB wins when you need single-digit millisecond latency at massive scale and you can design your access patterns in advance. The mistake I've seen is choosing DynamoDB because it sounds modern, then spending weeks fighting it when the query patterns weren't thought through."
6. CloudFormation vs. Terraform — what's the difference?
Both are infrastructure as code tools, but they differ in scope and approach:
| CloudFormation | Terraform | |
|---|---|---|
| Vendor | AWS-native | HashiCorp (multi-cloud) |
| Language | JSON / YAML | HCL (HashiCorp Configuration Language) |
| State | Managed by AWS stacks | Stored in state files (local or remote) |
| Multi-cloud | AWS only | AWS, GCP, Azure, and more |
Most AWS-only shops use CloudFormation or CDK (which compiles to CloudFormation). Teams with multi-cloud infrastructure or strong Terraform expertise prefer Terraform. Neither is wrong — interviewers want to hear that you've used at least one in production and can explain the state management implications.
7. How does Auto Scaling work in AWS?
Auto Scaling adjusts compute capacity to match demand. There are three main modes:
- Target tracking — scale to maintain a metric (e.g., CPU at 60%). Simplest to configure.
- Step scaling — add/remove capacity in steps based on CloudWatch alarm thresholds.
- Scheduled scaling — pre-warm capacity before predictable traffic spikes (e.g., every weekday at 8 AM).
What seniors add: cooldown periods, lifecycle hooks (run scripts before/after instance launch or termination), and the difference between scaling the ASG and scaling at the application layer (horizontal pod autoscaler in EKS, for example).
8. What does Route 53 do beyond DNS?
Route 53 is Amazon Web Services' managed DNS service, but the interview question is really about routing policies:
- Simple: return a single value
- Weighted: split traffic between endpoints by percentage (useful for blue/green deploys)
- Latency-based: route to the lowest-latency region
- Failover: active/passive health-check-based failover
- Geolocation / Geoproximity: route by the user's geographic location
The senior signal: mentioning health checks, how Route 53 integrates with CloudFront and load balancers, and the difference between alias records (AWS-specific, no charge) and CNAME records.
9. How do you monitor and debug AWS workloads with CloudWatch?
CloudWatch is the default observability layer. Interviewers want to know you've actually used it:
- Metrics: built-in for most AWS services; custom metrics for application-level signals
- Logs Insights: query logs with a SQL-like syntax — useful for finding errors across a Lambda function's log streams
- Alarms: trigger auto scaling actions, SNS notifications, or Systems Manager automation
- Dashboards: consolidate metrics across services into a single view
Common mistake candidates make: saying "I just check the console." Senior candidates mention setting up structured logging (JSON), using EMF (Embedded Metric Format) in Lambda for low-cost custom metrics, or integrating CloudWatch with Grafana for richer dashboards.
10. Walk me through a common AWS architecture scenario
Interviewers often end with an open-ended scenario: "How would you architect a web app for 1 million users?" A strong answer covers:
- Edge: CloudFront CDN to cache static assets and reduce origin load
- Compute: ECS (Fargate) or Lambda, behind an Application Load Balancer in multiple AZs
- Data: RDS (Multi-AZ) for transactional data + ElastiCache (Redis) for session/cache
- Storage: S3 for user uploads, with presigned URLs for direct client uploads
- Monitoring: CloudWatch metrics, alarms, and a centralized log group per service
- Security: VPC with private subnets for compute and DB, security groups locked to minimum ports, IAM roles on every service (no access keys)
The senior move: proactively mention failure modes — what happens if one AZ goes down, how you'd handle a traffic spike, or where the cost surprises tend to show up.
What Interviewers Are Actually Testing
Most AWS interview questions probe three things:
- Trade-off reasoning — do you understand *why* one service fits a use case better than another, or do you just know the names?
- Production experience — have you dealt with cost surprises, outages, or scaling incidents, or is this theoretical?
- Security mindset — do you default to least privilege and consider the blast radius of a misconfiguration?
Preparing sample answers is table stakes. The engineers who stand out come in knowing who they're talking to — the team's tech stack, the architecture patterns the company already uses, and what the interviewer likely cares about.
If you're prepping for a cloud or DevOps interview, Articuler can help you find the hiring manager or technical lead behind the role and build a Playbook on what they've built and what they care about. That's the difference between walking in with generic answers and walking in with context. If you're prepping for the system design portion of your loop, the system design interview questions guide covers the architecture depth most senior AWS interviews require. And if you want AI-generated meeting prep on the exact person interviewing you, Articuler's AI meeting prep does that in minutes.
FAQ
How many AWS questions are in a typical cloud engineer interview?
Most cloud or DevOps interview loops include 3–5 AWS-specific questions mixed with system design, coding, and behavioral rounds. Senior roles lean harder on architecture trade-offs; junior roles focus more on core services.
Do I need to memorize pricing for AWS interviews?
No. Interviewers care that you understand *which* services are expensive and *why* (e.g., NAT Gateway data transfer costs, Glacier retrieval fees, data egress costs). You don't need to quote exact dollar amounts.
Should I get AWS certified before interviewing?
A certification helps signal familiarity, but it doesn't replace practical experience. Most interviewers care more that you can reason through trade-offs than that you hold an SAA or SAP exam cert. That said, the Solutions Architect Associate exam is good structured prep if you're new to AWS.
What is the hardest AWS interview question?
"Design a system for X at scale" is consistently the hardest question because there's no single right answer. Interviewers are grading your reasoning process, your awareness of failure modes, and whether you ask clarifying questions before diving into an architecture.