AWS Interview Questions: What Employers Actually Ask
AWS is the most widely used cloud platform, and AWS interview questions appear across a huge range of roles — from junior cloud engineers to senior architects. What those questions look like depends on the seniority of the role and the type of company, but the core service knowledge they test is consistent.
This page covers the AWS interview questions that come up most often, grouped by topic, with notes on what a good answer actually needs to address.
What AWS Roles Look Like at Different Levels#
At associate level, interviewers are testing foundational understanding. You need to know what the core services do and how they fit together. You do not need to have built production systems at scale, but you should be able to work through a simple architecture question and explain your reasoning.
At mid-level, the bar shifts to demonstrated hands-on experience. You should be able to describe real systems you’ve worked on, explain how you’ve debugged production problems, and reason confidently about design trade-offs. Questions get more situational — “what would you do if…” rather than “what is…”.
At senior level, depth and judgment matter most. Expect open-ended architecture problems, questions about trade-offs at scale, and discussions about the operational implications of design decisions. Seniors are also expected to know what they don’t know and flag it clearly.
EC2 and Compute#
Questions you’ll see:
- “What’s the difference between a t3.micro and an m5.large instance? How would you decide which to use?”
- “What is an AMI, and why would you create a custom one?”
- “What are instance store volumes vs EBS volumes? What happens to each when you stop an instance?”
- “What is EC2 Auto Scaling? What’s the difference between a scaling policy based on CPU and one based on a scheduled event?”
- “How would you connect to a private EC2 instance that has no public IP?”
What interviewers are probing: EC2 questions test whether you understand compute fundamentals and not just how to click through the console. The instance store vs EBS question trips up a lot of candidates — the key point is that instance store data is lost when the instance stops, while EBS persists. The private instance question is looking for knowledge of Systems Manager Session Manager or a bastion host setup, and whether you default to “just give it a public IP” (a red flag).
S3 and Storage#
Questions you’ll see:
- “What are S3 storage classes, and how do you choose between Standard, Infrequent Access, and Glacier?”
- “How would you make an S3 bucket accessible to the public for a static website while keeping other buckets private?”
- “What is an S3 bucket policy vs an IAM policy? If both exist, which takes precedence?”
- “How does S3 versioning work, and when would you enable it?”
- “What is S3 Object Lock, and what problem does it solve?”
What interviewers are probing: Storage questions often focus on access control and cost. The bucket policy vs IAM policy question is a classic — both apply, and the effective permission is the intersection of what both allow (with the exception of explicit denies, which always win). Candidates who understand this demonstrate real AWS knowledge rather than surface familiarity.
IAM and Security#
Questions you’ll see:
- “What is an IAM role vs an IAM user? When would you use each?”
- “How would you give an EC2 instance permission to write to an S3 bucket without putting credentials in environment variables?”
- “What is an IAM policy, and what are the key elements of a policy document?”
- “What is AWS STS, and when would you use AssumeRole?”
- “How do you audit what permissions a specific IAM role or user actually has?”
What interviewers are probing: IAM is tested in almost every AWS interview because it underpins everything. The core concept they’re looking for is: avoid long-lived credentials, use roles wherever possible, and apply least privilege. The EC2-to-S3 question should lead to “attach an IAM role to the instance” — candidates who say “put the access key in the code” reveal a significant gap.
VPC and Networking#
Questions you’ll see:
- “Walk me through the components of a VPC: subnets, route tables, internet gateways, NAT gateways.”
- “What goes in a public subnet vs a private subnet, and why?”
- “What is a security group vs a network ACL? What’s the key operational difference?”
- “How does VPC peering work? What can’t it do?”
- “What is AWS PrivateLink, and when would you use it instead of peering?”
What interviewers are probing: Networking questions separate candidates with real hands-on experience from those who’ve only read documentation. Security groups are stateful (you don’t need to define return traffic rules); network ACLs are stateless (you do). VPC peering doesn’t support transitive routing — a common follow-up. These details matter in practice and interviewers know that.
Lambda and Serverless#
Questions you’ll see:
- “What is Lambda’s execution model? What happens cold vs warm?”
- “What are the limitations of Lambda you’d need to account for when designing a system?”
- “When would you choose Lambda over a container on ECS? What tips the decision?”
- “How would you pass configuration to a Lambda function without hardcoding it?”
- “What is an event source mapping in Lambda?”
What interviewers are probing: Lambda questions often reveal whether a candidate understands the trade-offs of serverless rather than treating it as a magic solution. Cold starts, the 15-minute execution limit, concurrency quotas, and the difficulty of local development are all real constraints that come up in design discussions.
RDS and Databases#
Questions you’ll see:
- “What is the difference between RDS and Aurora? Why might you choose Aurora?”
- “How does RDS Multi-AZ work? What does it protect against, and what does it not protect against?”
- “What is RDS Read Replicas? How is their purpose different from Multi-AZ?”
- “When would you use DynamoDB instead of RDS?”
What interviewers are probing: Multi-AZ vs Read Replicas is a very common trap. Multi-AZ is for high availability (automatic failover during an outage). Read Replicas are for read scalability. They serve different purposes. Candidates who confuse them or say “they’re basically the same” raise concerns.
CloudFormation and Infrastructure as Code#
Questions you’ll see:
- “What is CloudFormation? How does it compare to Terraform?”
- “What is a CloudFormation stack? What happens when a stack update fails?”
- “What are CloudFormation drift detection and stack policies?”
- “Have you used the AWS CDK? How does it relate to CloudFormation under the hood?”
What interviewers are probing: Companies that use CloudFormation want to know you understand stack lifecycle, rollback behaviour, and change sets. Candidates who have used only Terraform may still be hired, but should be honest about it and demonstrate that they understand the underlying concepts are transferable.
ECS and EKS#
Questions you’ll see:
- “What is the difference between ECS and EKS? When would you choose one over the other?”
- “What is AWS Fargate? What does it remove from your operational responsibility?”
- “How does ECS service discovery work?”
- “What are the main components of an ECS task definition?”
What interviewers are probing: Container orchestration questions are more common as Kubernetes adoption grows. The ECS vs EKS question is often about team familiarity and operational overhead tolerance. EKS gives more control and is more portable; ECS is simpler and well-integrated with the AWS ecosystem. Neither answer is wrong — the interviewer wants to see the reasoning.
Scenario Question: Fault-Tolerant Web Application on AWS#
A common system design question for mid and senior AWS roles:
“Design a fault-tolerant, scalable web application on AWS that can handle variable traffic.”
A strong answer covers:
- Application Load Balancer in front of an Auto Scaling Group of EC2 instances across multiple AZs
- Static assets served from S3 via CloudFront
- RDS Aurora in Multi-AZ for the database, with a read replica if read-heavy
- ElastiCache for session state (so instances are stateless)
- Route 53 for DNS with health checks
- CloudWatch alarms and dashboards for monitoring
- IAM roles for all service-to-service access, no hardcoded credentials
The point is not to reach a specific answer — it’s to show you understand how the components interact, why you’d make each choice, and what the failure modes look like.
Do AWS Certifications Help?#
The AWS Solutions Architect Associate (SAA-C03) is the most commonly recognised AWS certification for cloud engineering roles. It demonstrates a working knowledge of core services and basic architectural patterns. For people breaking into the market, it provides credibility when hands-on experience is limited.
At mid and senior level, certifications matter less than demonstrable experience. A candidate with two years of real AWS work and no certifications will typically outperform a candidate with three certifications and no hands-on projects.
The AWS Certified DevOps Engineer Professional and the AWS Certified Solutions Architect Professional are more credible signals at senior level, partly because they’re harder to pass without genuine experience.
Common Mistakes AWS Candidates Make#
Listing services rather than reasoning. Saying “I’d use S3 and Lambda and CloudWatch” without explaining why or how they connect is a weak answer.
Not knowing the limits. Lambda’s 15-minute timeout, S3’s eventual consistency for some operations, the 5 GB limit on S3 single PUT uploads — real engineers know these constraints because they’ve hit them.
Treating IAM as an afterthought. Proposing architectures where applications connect to databases with hardcoded credentials, or where IAM roles have wildcard permissions, signals that security is not part of your default thinking.
Conflating Multi-AZ and Read Replicas. Covered above — it comes up often enough to be worth repeating.
Not asking clarifying questions in system design. Walking into an open-ended design question without establishing constraints (traffic volume, budget, existing stack, compliance requirements) produces generic answers that don’t impress.