Top 50 AWS Cloud Practitioner Interview Questions

Cloud computing is the on-demand delivery of IT resources (compute, storage, databases, networking, software) over the internet with pay-as-you-go pricing. Instead of owning and maintaining physical data centers, you access technology services from a cloud provider like AWS.

• Public cloud - resources owned and operated by a third-party provider (AWS, Azure, GCP) and delivered over the internet. Shared infrastructure.
• Private cloud - cloud infrastructure operated solely for a single organization. Can be on-premises or hosted by a third party.
• Hybrid cloud - combination of public and private clouds connected by technology that allows data and applications to be shared between them.

• IaaS (Infrastructure as a Service) - provides virtualized computing resources over the internet. You manage OS, middleware, and applications. Examples: EC2, VPC.
• PaaS (Platform as a Service) - provides a platform for developing, running, and managing applications without managing infrastructure. Examples: Elastic Beanstalk, RDS.
• SaaS (Software as a Service) - delivers software applications over the internet on a subscription basis. Examples: Gmail, Salesforce, AWS WorkMail.

• Trade capital expense for variable expense.
• Benefit from massive economies of scale.
• Stop guessing capacity.
• Increase speed and agility.
• Stop spending money running and maintaining data centers.
• Go global in minutes.

The Shared Responsibility Model divides security responsibilities between AWS and the customer. AWS is responsible for security OF the cloud (hardware, software, networking, facilities). The customer is responsible for security IN the cloud (data, identity management, OS configuration, network/firewall settings, encryption).

• Physical security of data centers.
• Hardware and global infrastructure (regions, AZs, edge locations).
• Managed services infrastructure (e.g., RDS OS patching).
• Hypervisor and virtualization layer.
• Network infrastructure.

• Data encryption (at rest and in transit).
• Identity and Access Management (IAM users, roles, policies).
• Operating system patching for EC2 instances.
• Security group and network ACL configuration.
• Application-level security.
• Client-side data encryption.

An AWS Region is a physical location in the world where AWS has multiple data centers (Availability Zones). Each Region is completely independent and isolated from other Regions. Examples: us-east-1 (N. Virginia), eu-west-1 (Ireland), ap-southeast-1 (Singapore). Choose a Region based on latency, compliance, and service availability.

An Availability Zone is one or more discrete data centers within an AWS Region, each with redundant power, networking, and connectivity. AZs are physically separated but connected with low-latency links. Deploying across multiple AZs provides high availability and fault tolerance.

Edge locations are AWS data center endpoints used by CloudFront (CDN) and Route 53 to cache content closer to end users. There are more edge locations than Regions. They reduce latency for global users by serving cached content from the nearest location.

Amazon EC2 (Elastic Compute Cloud) provides resizable virtual servers (instances) in the cloud. You choose the instance type (CPU, memory, storage), OS, and configuration. EC2 is IaaS - you manage the OS and above. Use cases: web servers, application servers, batch processing.

• On-Demand - pay per hour/second with no commitment. Most flexible. Highest cost. Best for unpredictable workloads.
• Reserved Instances - 1 or 3 year commitment. Up to 72% discount. Best for steady-state workloads.
• Spot Instances - bid for unused EC2 capacity. Up to 90% discount. Can be interrupted. Best for fault-tolerant, flexible workloads.
• Savings Plans - flexible pricing model with 1 or 3 year commitment. Applies to EC2, Lambda, and Fargate.
• Dedicated Hosts - physical server dedicated to your use. Most expensive. Required for certain compliance/licensing needs.

Amazon S3 (Simple Storage Service) is object storage with unlimited capacity. Objects are stored in buckets. S3 provides 99.999999999% (11 nines) durability. Use cases: backup and restore, static website hosting, data lakes, media storage. S3 is not a file system - it stores objects (files + metadata) accessed via HTTP.

• S3 Standard - frequently accessed data. High availability. Default class.
• S3 Intelligent-Tiering - automatically moves data between tiers based on access patterns.
• S3 Standard-IA (Infrequent Access) - lower cost for infrequently accessed data. Retrieval fee applies.
• S3 One Zone-IA - lower cost, single AZ. Less resilient.
• S3 Glacier Instant Retrieval - archive storage with millisecond retrieval.
• S3 Glacier Flexible Retrieval - archive storage, retrieval in minutes to hours.
• S3 Glacier Deep Archive - lowest cost, retrieval in 12 hours. Long-term archive.

Amazon RDS (Relational Database Service) is a managed relational database service. AWS handles provisioning, patching, backup, recovery, and scaling. Supported engines: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora. You manage the database schema and data; AWS manages the infrastructure.

Amazon DynamoDB is a fully managed, serverless NoSQL key-value and document database. It provides single-digit millisecond performance at any scale. DynamoDB automatically scales capacity up and down. Use cases: gaming, IoT, mobile apps, real-time leaderboards. No servers to manage.

Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network you define. You control IP address ranges, subnets, route tables, and network gateways. VPC is the networking foundation for most AWS services.

• Public subnet - has a route to an Internet Gateway. Resources can communicate directly with the internet. Used for web servers, load balancers.
• Private subnet - no direct route to the internet. Resources can only communicate within the VPC or via NAT Gateway. Used for databases, application servers.

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It serves two purposes: provides a target in route tables for internet-routable traffic, and performs NAT for instances with public IP addresses.

AWS IAM (Identity and Access Management) enables you to manage access to AWS services and resources securely. You create users, groups, roles, and policies. IAM is global (not region-specific). Key principle: grant least privilege - give only the permissions needed to perform a task.

• IAM User - a person or application with long-term credentials (username/password or access keys).
• IAM Group - a collection of IAM users. Attach policies to groups to manage permissions for multiple users.
• IAM Role - an identity with permissions that can be assumed by AWS services, applications, or users. No long-term credentials. Used for EC2 instances, Lambda functions, cross-account access.

An IAM Policy is a JSON document that defines permissions. It specifies what actions are allowed or denied on which AWS resources. Types: AWS managed policies (pre-built by AWS), customer managed policies (you create), and inline policies (embedded directly in a user/group/role).

{\n  "Version": "2012-10-17",\n  "Statement": [{\n    "Effect": "Allow",\n    "Action": "s3:GetObject",\n    "Resource": "arn:aws:s3:::my-bucket/*"\n  }]\n}

AWS CloudTrail records API calls and account activity across your AWS infrastructure. It provides event history for auditing, compliance, and security analysis. CloudTrail logs who made a request, what service was called, when it happened, and from where. Enabled by default for 90 days; create a trail for longer retention.

Amazon CloudWatch is a monitoring and observability service. It collects metrics, logs, and events from AWS resources and applications. Use CloudWatch to: set alarms (e.g., CPU > 80%), create dashboards, trigger auto-scaling, and analyze logs. CloudWatch Logs stores application and system logs.

AWS Trusted Advisor is an online tool that provides real-time guidance to help you provision resources following AWS best practices. It checks across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Basic and Developer support plans get limited checks; Business and Enterprise get all checks.

The AWS Well-Architected Framework provides best practices for building secure, high-performing, resilient, and efficient infrastructure. It has six pillars:

• Operational Excellence - run and monitor systems.
• Security - protect information and systems.
• Reliability - recover from failures.
• Performance Efficiency - use resources efficiently.
• Cost Optimization - avoid unnecessary costs.
• Sustainability - minimize environmental impact.

Amazon Route 53 is a highly available and scalable DNS (Domain Name System) web service. It translates domain names to IP addresses. Route 53 also provides domain registration, health checking, and traffic routing policies (simple, weighted, latency-based, failover, geolocation).

Amazon CloudFront is a fast content delivery network (CDN) service. It delivers data, videos, applications, and APIs globally with low latency by caching content at edge locations. CloudFront integrates with S3, EC2, ELB, and Route 53. It also provides DDoS protection via AWS Shield.

• AWS Shield Standard - automatically protects all AWS customers from common DDoS attacks at no extra cost.
• AWS Shield Advanced - paid service providing enhanced DDoS protection, 24/7 DDoS response team, and financial protection against DDoS-related scaling charges.

AWS WAF (Web Application Firewall) protects web applications from common web exploits (SQL injection, cross-site scripting). You create rules to allow, block, or monitor web requests. WAF integrates with CloudFront, ALB, API Gateway, and AppSync.

Amazon SNS (Simple Notification Service) is a fully managed pub/sub messaging service. Publishers send messages to topics; subscribers receive them. Supports multiple protocols: HTTP/HTTPS, email, SMS, SQS, Lambda. Use case: send notifications when an event occurs (e.g., alert when S3 upload completes).

Amazon SQS (Simple Queue Service) is a fully managed message queuing service. It decouples application components by storing messages in a queue until they are processed. Types: Standard (at-least-once delivery, best-effort ordering) and FIFO (exactly-once processing, strict ordering).

AWS Lambda is a serverless compute service that runs code in response to events without provisioning or managing servers. You pay only for compute time consumed (per request and duration). Lambda supports Node.js, Python, Java, Go, Ruby, and more. Use cases: API backends, data processing, automation.

• Vertical scaling (scale up) - increase the size of an existing instance (more CPU, RAM). Has limits. Requires downtime.
• Horizontal scaling (scale out) - add more instances to distribute load. No limits. No downtime. AWS Auto Scaling handles this automatically.

AWS Auto Scaling automatically adjusts the number of EC2 instances (or other resources) based on demand. It ensures you have the right number of instances to handle load. Types: dynamic scaling (responds to demand changes) and predictive scaling (uses ML to forecast demand).

• Application Load Balancer (ALB) - Layer 7. Routes based on HTTP/HTTPS content (URL, headers). Best for web applications.
• Network Load Balancer (NLB) - Layer 4. Ultra-high performance, handles millions of requests per second. Best for TCP/UDP traffic.
• Gateway Load Balancer (GWLB) - deploys and scales third-party virtual appliances.
• Classic Load Balancer - legacy. Not recommended for new applications.

Amazon ECS (Elastic Container Service) is a fully managed container orchestration service. It runs Docker containers on a cluster of EC2 instances or AWS Fargate (serverless). ECS manages container scheduling, scaling, and health monitoring.

AWS Fargate is a serverless compute engine for containers. It works with ECS and EKS. With Fargate, you do not manage servers or clusters - you just define your container requirements (CPU, memory) and Fargate handles the infrastructure. Pay only for the resources your containers use.

AWS Elastic Beanstalk is a PaaS service that automatically handles deployment, capacity provisioning, load balancing, auto-scaling, and health monitoring. You upload your application code and Beanstalk handles the rest. Supports Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker.

Amazon S3 Glacier is a low-cost cloud storage service for data archiving and long-term backup. Retrieval times range from minutes (Instant Retrieval) to hours (Flexible Retrieval) to 12 hours (Deep Archive). Glacier is ideal for data that is rarely accessed but must be retained for compliance.

• Always Free - services that are always free regardless of time (e.g., Lambda 1M requests/month, DynamoDB 25GB storage).
• 12 Months Free - free for 12 months after account creation (e.g., EC2 750 hours/month t2.micro, S3 5GB).
• Trials - short-term free trials for specific services (e.g., Amazon Inspector 90-day trial).

The AWS Pricing Calculator (calculator.aws) is a free tool to estimate the cost of AWS services for your use case. You configure services and get a monthly cost estimate. Useful for planning migrations, comparing deployment options, and budgeting.

AWS Cost Explorer is a tool to visualize, understand, and manage your AWS costs and usage over time. It provides graphs of spending, identifies cost trends, and shows which services cost the most. You can filter by service, region, account, and tags.

AWS Budgets lets you set custom cost and usage budgets and receive alerts when you exceed (or are forecasted to exceed) your thresholds. You can set budgets for cost, usage, reservation coverage, and Savings Plans utilization. Alerts can be sent via email or SNS.

• Basic - free. Access to documentation, whitepapers, and AWS Trusted Advisor (limited checks).
• Developer - $29/month. Business hours email support. One primary contact.
• Business - $100/month. 24/7 phone, email, chat support. Full Trusted Advisor checks. < 1 hour response for production issues.
• Enterprise On-Ramp - $5,500/month. Pool of Technical Account Managers.
• Enterprise - $15,000/month. Dedicated Technical Account Manager (TAM). < 15 min response for business-critical issues.

AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors (ISVs). You can find, test, buy, and deploy software that runs on AWS. Categories include security, networking, storage, machine learning, and business intelligence.

AWS Organizations lets you centrally manage multiple AWS accounts. Features: consolidated billing (single payment method for all accounts), service control policies (SCPs) to restrict what services accounts can use, and organizational units (OUs) to group accounts.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses EC2 instances and container images for software vulnerabilities and unintended network exposure.

AWS Artifact is a self-service portal for on-demand access to AWS compliance reports and agreements. It provides access to AWS security and compliance documents such as SOC reports, PCI reports, and ISO certifications. Useful for audits and compliance requirements.

• Region - geographic area with 2+ AZs. Choose based on latency, compliance, and service availability.
• Availability Zone - one or more data centers in a Region. Isolated for fault tolerance.
• Edge Location - used by CloudFront and Route 53 for content caching. More locations than Regions.
• Local Zone - extension of a Region closer to large population centers for ultra-low latency.
• Wavelength Zone - embeds AWS compute in telecom networks for 5G ultra-low latency applications.