Top 200 AWS Cloud Interview Questions & Answers
Basic Questions (1-80)
Q1. What is Amazon Web Services (AWS)?
Amazon Web Services is a comprehensive cloud computing platform provided by Amazon, offering over 200 fully featured services from data centers globally. AWS provides on-demand access to compute power, database storage, content delivery, and other IT resources through the internet with pay-as-you-go pricing. It enables organizations to move faster, lower IT costs, and scale applications globally without upfront infrastructure investment.
Q2. What are the main categories of AWS services?
AWS services are organized into categories including Compute (EC2, Lambda, ECS), Storage (S3, EBS, EFS, Glacier), Database (RDS, DynamoDB, Redshift, ElastiCache), Networking (VPC, Route 53, CloudFront, Direct Connect), Security (IAM, KMS, Shield, WAF), and Management & Monitoring (CloudWatch, CloudTrail, Config). Additional categories cover ML/AI, IoT, Developer Tools, Migration, and Analytics. Each category contains multiple services tailored to specific use cases.
Q3. What is an AWS Region?
An AWS Region is a physical location in the world where AWS clusters data centers, currently comprising over 30 geographic regions globally. Each Region is completely independent and isolated from other Regions to achieve the greatest possible fault tolerance and stability. Customers choose Regions based on latency, compliance, data residency requirements, and service availability.
Q4. What is an Availability Zone (AZ)?
An Availability Zone is one or more discrete data centers within an AWS Region, each with redundant power, networking, and connectivity. AZs within a Region are connected through low-latency, high-throughput, and highly redundant networking. By distributing applications across multiple AZs, architects achieve high availability and fault tolerance—a failure in one AZ does not affect other AZs.
Q5. What is Amazon EC2?
Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the cloud, allowing users to launch virtual servers called instances. EC2 offers a wide selection of instance types optimized for different use cases—compute-optimized (C-family), memory-optimized (R/X-family), storage-optimized (I/D-family), and general-purpose (M/T-family). Users pay only for compute capacity consumed, with options for On-Demand, Reserved, Spot, and Dedicated Host pricing.
Q6. What is Amazon S3?
Amazon Simple Storage Service (S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. S3 stores data as objects within buckets, supporting objects up to 5 TB in size with virtually unlimited total storage. S3 provides multiple storage classes (Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier, Glacier Deep Archive) for cost optimization based on access patterns.
Q7. What is IAM in AWS?
AWS Identity and Access Management (IAM) enables secure control of access to AWS services and resources. IAM allows creation of users, groups, and roles, and management of permissions through policies written in JSON. Key IAM concepts include the principle of least privilege, identity federation, multi-factor authentication (MFA), and service roles that grant AWS services permissions to act on your behalf.
Q8. What is a VPC?
Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. VPC supports both IPv4 and IPv6 addressing.
Q9. What is the difference between a public subnet and a private subnet?
A public subnet has a route in its route table pointing to an Internet Gateway, allowing resources within it to communicate directly with the internet. A private subnet has no direct route to the Internet Gateway, preventing direct internet access; resources in private subnets access the internet through a NAT Gateway or NAT Instance placed in a public subnet. Public subnets host internet-facing resources like load balancers, while private subnets host databases and application servers.
Q10. What is Amazon RDS?
Amazon Relational Database Service (RDS) makes it easy to set up, operate, and scale a relational database in the cloud. RDS manages time-consuming database administration tasks such as hardware provisioning, database setup, patching, and backups. RDS supports multiple database engines: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora, with Multi-AZ deployment for high availability and Read Replicas for read scaling.
Q11. What is Amazon DynamoDB?
Amazon DynamoDB is a fully managed, serverless, key-value and document NoSQL database service that delivers single-digit millisecond performance at any scale. DynamoDB automatically scales throughput capacity with demand and replicates data across multiple AZs for durability. It supports DynamoDB Streams for change data capture, global tables for multi-region replication, and DAX (DynamoDB Accelerator) for in-memory caching.
Q12. What is AWS Lambda?
AWS Lambda is a serverless compute service that runs code in response to events and automatically manages the underlying compute resources. Lambda executes functions in response to triggers from over 200 AWS services and SaaS applications, scaling automatically from a few requests per day to thousands per second. Functions are billed in 1-millisecond increments based on execution duration and memory allocated, with no charge when code is not running.
Q13. What is Amazon CloudFront?
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront integrates with AWS services like S3, EC2, Elastic Load Balancing, and Route 53, and provides DDoS protection via AWS Shield Standard at no additional cost. It supports custom SSL certificates, field-level encryption, and Lambda@Edge for running code at edge locations.
Q14. What is Amazon Route 53?
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service designed to route end users to internet applications. Route 53 supports multiple routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, and Multivalue Answer routing. It also provides domain registration, health checks, and traffic flow management with a visual editor.
Q15. What are EC2 instance purchasing options?
AWS offers several EC2 purchasing options: On-Demand Instances pay by the second with no long-term commitment; Reserved Instances provide up to 72% discount for 1- or 3-year commitments; Spot Instances use unused EC2 capacity at up to 90% discount but can be interrupted; Dedicated Hosts are physical servers dedicated to your use for compliance/licensing needs; Savings Plans offer flexible pricing with committed spend. Choosing the right mix optimizes cost significantly.
Q16. What is an Amazon Machine Image (AMI)?
An Amazon Machine Image (AMI) is a template that contains a software configuration (operating system, application server, and applications) from which you launch EC2 instances. AMIs can be AWS-provided, AWS Marketplace AMIs, community AMIs, or custom AMIs you create from existing instances. AMIs are region-specific and must be copied to other regions if needed. Storing AMIs enables rapid, consistent instance provisioning.
Q17. What is Amazon EBS?
Amazon Elastic Block Store (EBS) provides persistent block-level storage volumes for use with EC2 instances, persisting independently from the instance's life. EBS volume types include gp3/gp2 (general-purpose SSD), io2/io1 (provisioned IOPS SSD for databases), st1 (throughput-optimized HDD for big data), and sc1 (cold HDD for infrequent access). EBS supports snapshots to S3 for backup and volume replication across AZs.
Q18. What is Amazon EFS?
Amazon Elastic File System (EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. EFS automatically grows and shrinks as you add and remove files, requiring no capacity management. It supports two performance modes (General Purpose and Max I/O), two throughput modes (Bursting and Provisioned), and four storage classes including EFS Standard and EFS Infrequent Access.
Q19. What is AWS CloudFormation?
AWS CloudFormation provides a common language for describing and provisioning all infrastructure resources in your cloud environment using Infrastructure as Code (IaC). CloudFormation templates (JSON or YAML) define AWS resources and their dependencies, allowing creation, update, and deletion of entire resource stacks as a single unit. Key concepts include stacks, change sets (preview changes), stack sets (deploy across multiple accounts/regions), and drift detection.
Q20. What is Amazon CloudWatch?
Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events. CloudWatch provides actionable insights to monitor applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. Key features include dashboards, alarms, Logs Insights for log analysis, Container Insights, and Synthetics for canary monitoring.
Q21. What is AWS Auto Scaling?
AWS Auto Scaling monitors applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. It supports scaling for EC2 instances, ECS tasks, DynamoDB tables, Aurora replicas, and more. Auto Scaling Groups (ASGs) define minimum, maximum, and desired capacity; scaling policies can be target tracking (maintain a metric at a target value), step scaling, or scheduled scaling based on predictable load patterns.
Q22. What is Elastic Load Balancing (ELB)?
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets—EC2 instances, containers, IP addresses, and Lambda functions—in one or more Availability Zones. AWS offers four types: Application Load Balancer (layer 7, HTTP/HTTPS with path-based routing), Network Load Balancer (layer 4, ultra-low latency TCP/UDP), Gateway Load Balancer (for third-party virtual appliances), and Classic Load Balancer (legacy). ELB integrates with Auto Scaling, ACM, WAF, and CloudWatch.
Q23. What is Amazon SNS?
Amazon Simple Notification Service (SNS) is a fully managed pub/sub messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allow publishers to send messages to multiple subscribers simultaneously—endpoints can include SQS queues, Lambda functions, HTTP/HTTPS endpoints, email, SMS, and mobile push notifications. SNS supports message filtering so subscribers receive only relevant messages.
Q24. What is Amazon SQS?
Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables decoupling and scaling of microservices, distributed systems, and serverless applications. SQS offers two queue types: Standard queues provide maximum throughput, best-effort ordering, and at-least-once delivery; FIFO queues guarantee exactly-once processing and strict ordering. Key features include visibility timeout, dead-letter queues (DLQ), long polling, and message retention up to 14 days.
Q25. What is AWS CloudTrail?
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account by recording API calls. CloudTrail records the caller's identity, time of the API call, source IP address, request parameters, and response elements returned by AWS. Trails can deliver log files to S3 and CloudWatch Logs; CloudTrail Insights detects unusual API activity patterns automatically.
Q26. What is Amazon Glacier?
Amazon S3 Glacier (now S3 Glacier Flexible Retrieval) is a secure, durable, and extremely low-cost cloud storage class for data archiving and long-term backup. Glacier offers three retrieval options: Expedited (1-5 minutes), Standard (3-5 hours), and Bulk (5-12 hours). S3 Glacier Instant Retrieval provides millisecond access; Glacier Deep Archive (12-48 hour retrieval) is the lowest-cost storage option for data retained for 7-10 years.
Q27. What is the AWS Shared Responsibility Model?
The AWS Shared Responsibility Model defines the division of security responsibilities between AWS and the customer. AWS is responsible for security "of" the cloud—protecting the infrastructure (hardware, software, networking, facilities) that runs AWS services. Customers are responsible for security "in" the cloud—including data encryption, access management, OS patching, network configuration, and application-level security. The boundary varies by service type (IaaS vs. managed services).
Q28. What is an Internet Gateway?
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that enables communication between instances in your VPC and the internet. It serves two purposes: providing a target in VPC route tables for internet-routable traffic, and performing network address translation (NAT) for instances with public IPv4 addresses. Each VPC can only have one IGW attached at a time.
Q29. What is a NAT Gateway?
A NAT (Network Address Translation) Gateway enables instances in a private subnet to connect to the internet or other AWS services while preventing the internet from initiating connections with those instances. NAT Gateways are managed by AWS, highly available within an AZ, and support bandwidth scaling up to 100 Gbps. They are placed in public subnets and private subnet route tables point to the NAT Gateway for internet-bound traffic.
Q30. What is Amazon ElastiCache?
Amazon ElastiCache is a fully managed in-memory caching service supporting Redis and Memcached engines. ElastiCache improves application performance by retrieving data from fast, managed, in-memory caches instead of slower disk-based databases. Redis supports advanced data structures, persistence, pub/sub, Lua scripting, and cluster mode for horizontal scaling; Memcached is simpler, multi-threaded, and suitable for simple caching use cases.
Q31. What is AWS Elastic Beanstalk?
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed in Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker. Beanstalk automatically handles capacity provisioning, load balancing, auto-scaling, and application health monitoring while retaining full control over underlying resources. It supports multiple deployment policies: All at once, Rolling, Rolling with additional batch, and Immutable.
Q32. What is AWS ECS?
Amazon Elastic Container Service (ECS) is a fully managed container orchestration service that makes it easy to deploy, manage, and scale containerized applications. ECS supports two launch types: EC2 (you manage the underlying instances) and Fargate (serverless, AWS manages infrastructure). Key ECS concepts include Task Definitions (container blueprints), Tasks (running instances of task definitions), Services (ensure desired task count), and Clusters (logical grouping of resources).
Q33. What is AWS EKS?
Amazon Elastic Kubernetes Service (EKS) is a managed service that makes it easy to run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane. EKS runs the Kubernetes control plane across multiple AWS Availability Zones and automatically detects and replaces unhealthy control plane nodes. It supports both EC2 and Fargate for worker nodes and integrates with AWS services like IAM, VPC, CloudWatch, and ECR.
Q34. What is Amazon ECR?
Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry that makes it easy to store, manage, share, and deploy container images. ECR integrates with ECS, EKS, and Lambda, eliminating the need to manage your own container registries. It supports image vulnerability scanning, lifecycle policies to automate image cleanup, cross-account and cross-region replication, and encryption at rest using AWS KMS.
Q35. What is Amazon Redshift?
Amazon Redshift is a fast, scalable, fully managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing BI tools. Redshift uses columnar storage, data compression, and massively parallel processing (MPP) to deliver fast query performance. Redshift Spectrum allows querying data directly in S3 without loading it; Redshift Serverless removes the need to manage clusters.
Q36. What is AWS Direct Connect?
AWS Direct Connect is a cloud service solution that establishes a dedicated private network connection between your on-premises network and AWS, bypassing the public internet. Direct Connect provides consistent network performance, reduced bandwidth costs, and increased bandwidth throughput for data-intensive workloads. Connection speeds range from 50 Mbps to 100 Gbps; hosted connections and hosted VIFs allow sharing through AWS partners.
Q37. What is Amazon Kinesis?
Amazon Kinesis makes it easy to collect, process, and analyze real-time streaming data at any scale. Kinesis Data Streams captures gigabytes of data per second from hundreds of thousands of sources; Kinesis Data Firehose is the easiest way to reliably load streaming data into data stores (S3, Redshift, OpenSearch); Kinesis Data Analytics enables real-time analytics using SQL or Apache Flink; Kinesis Video Streams captures and stores video streams.
Q38. What is AWS Glue?
AWS Glue is a fully managed serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, ML, and application development. Glue crawlers automatically discover data stores and populate the Glue Data Catalog; ETL jobs transform and move data between stores using auto-generated or custom Apache Spark/Python scripts. Glue Studio provides a visual interface for building ETL pipelines without code.
Q39. What is Amazon Athena?
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless—no infrastructure to manage—and you pay only for the queries run ($5 per TB of data scanned). It supports CSV, JSON, ORC, Avro, and Parquet formats; using columnar formats and partitioning can reduce cost and improve performance significantly. Athena integrates with AWS Glue Data Catalog for metadata management.
Q40. What is AWS KMS?
AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data. KMS uses hardware security modules (HSMs) to protect the security of your keys and integrates with over 100 AWS services for encryption. Key types include AWS managed keys (free), customer managed keys (CMKs), and custom key store (CloudHSM-backed). KMS provides centralized key management, key rotation, and detailed audit logs via CloudTrail.
Q41. What is Amazon SageMaker?
Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy ML models quickly. SageMaker removes the heavy lifting of each step of the ML process—from data labeling (Ground Truth) to experimentation (Experiments) to model monitoring (Model Monitor). It provides built-in algorithms, automatic model tuning (hyperparameter optimization), and managed infrastructure for distributed training.
Q42. What is Amazon Cognito?
Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. Cognito User Pools are user directories that provide sign-up, sign-in, and access control functionality; Cognito Identity Pools (Federated Identities) grant users temporary AWS credentials to access AWS services directly. Cognito supports social identity providers (Google, Facebook, Apple) and SAML/OIDC enterprise identity providers.
Q43. What is Amazon API Gateway?
Amazon API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. API Gateway supports REST APIs, HTTP APIs (lower latency and cost), and WebSocket APIs for real-time two-way communication. Features include throttling, caching, request/response transformation, API keys, usage plans, Lambda authorizers, and integration with Cognito for authentication.
Q44. What is AWS Step Functions?
AWS Step Functions is a serverless orchestration service that lets you coordinate multiple AWS services into serverless workflows using a visual workflow editor called Workflow Studio. Step Functions uses the Amazon States Language (ASL) to define state machines with states including Task, Choice, Parallel, Map, Wait, Succeed, Fail, and Pass. It supports Standard Workflows (exactly-once execution) and Express Workflows (high-volume, at-least-once).
Q45. What is Amazon EventBridge?
Amazon EventBridge is a serverless event bus service that makes it easy to build event-driven applications at scale. EventBridge receives events from AWS services, custom applications, and SaaS applications, then routes them to targets like Lambda, SQS, SNS, Step Functions, and more using rules with event patterns. EventBridge Scheduler enables scheduled invocations; EventBridge Pipes connects event sources to targets with optional filtering and enrichment.
Q46. What is AWS CodePipeline?
AWS CodePipeline is a fully managed continuous delivery service that helps automate release pipelines for fast and reliable application and infrastructure updates. Pipelines consist of stages (Source, Build, Test, Deploy) with transitions and actions; each action integrates with AWS services or third-party tools. CodePipeline integrates with CodeCommit, CodeBuild, CodeDeploy, CloudFormation, Elastic Beanstalk, ECS, and popular third-party tools like GitHub, Jenkins, and Jira.
Q47. What is AWS CodeBuild?
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages ready for deployment. Build specifications are defined in a buildspec.yml file specifying install, pre-build, build, and post-build phases. CodeBuild scales automatically and charges per minute of build time; it supports Docker for custom build environments and caches dependencies to speed builds.
Q48. What is AWS CodeDeploy?
AWS CodeDeploy is a fully managed deployment service that automates software deployments to EC2 instances, on-premises servers, Lambda functions, and ECS services. Deployment configurations control rollout speed: AllAtOnce, HalfAtATime, OneAtATime, or custom. AppSpec files define deployment hooks (lifecycle events) for installation validation; CodeDeploy supports Blue/Green deployments to shift traffic with automatic rollback on failure.
Q49. What is Amazon Aurora?
Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that combines the performance and availability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases. Aurora is up to 5x faster than standard MySQL and 3x faster than PostgreSQL, provides up to 15 low-latency read replicas, and stores six copies of data across three AZs. Aurora Serverless v2 scales capacity instantly in fine-grained increments.
Q50. What is Amazon VPC Peering?
VPC peering is a networking connection between two VPCs that enables routing of traffic between them using private IPv4 or IPv6 addresses as if they were in the same network. VPC peering can be between VPCs in the same account, different AWS accounts, or different Regions (inter-region peering). Peering is non-transitive—if VPC A peers with B and B peers with C, traffic cannot flow from A to C through B without a direct A-C peering connection.
Q51. What is AWS Transit Gateway?
AWS Transit Gateway is a network transit hub that enables customers to connect their VPCs and on-premises networks through a central gateway, simplifying network architecture. Instead of managing many-to-many VPC peering connections, Transit Gateway acts as a hub-and-spoke model supporting thousands of VPC attachments. It supports inter-region peering, multicast, route tables for traffic segmentation, and integration with Direct Connect and VPN.
Q52. What is AWS Shield?
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. Shield Standard is automatically enabled for all AWS customers at no additional charge and protects against common, frequently occurring network and transport layer DDoS attacks. Shield Advanced ($3,000/month) provides enhanced protections for EC2, ELB, CloudFront, Route 53, and Global Accelerator, including 24/7 access to the AWS DDoS Response Team (DRT) and cost protection against scaling charges from attacks.
Q53. What is AWS WAF?
AWS Web Application Firewall (WAF) protects web applications from common web exploits and bots that could affect availability, compromise security, or consume excessive resources. WAF lets you create rules that control bot traffic and block common attack patterns such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 vulnerabilities. WAF Web ACLs attach to CloudFront, ALB, API Gateway, and AppSync; Managed Rule Groups from AWS and AWS Marketplace provide pre-built protections.
Q54. What is Amazon Inspector?
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Inspector automatically discovers EC2 instances, Lambda functions, and container images in ECR and scans them for known CVEs and network reachability issues. It provides a risk score for each finding prioritized by exploitability and blast radius, and integrates with Security Hub for centralized findings.
Q55. What is Amazon GuardDuty?
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across your AWS accounts and workloads. GuardDuty analyzes CloudTrail events, VPC Flow Logs, DNS logs, EKS audit logs, and S3 data events using machine learning, anomaly detection, and integrated threat intelligence. Findings are categorized by severity and integrated with Security Hub, Detective, and EventBridge for automated response.
Q56. What is AWS Security Hub?
AWS Security Hub provides a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub aggregates, organizes, and prioritizes security alerts (findings) from multiple AWS services (GuardDuty, Inspector, Macie, IAM Analyzer, Firewall Manager) and third-party products. It evaluates your environment against the AWS Foundational Security Best Practices and CIS AWS Foundations standards.
Q57. What is Amazon Macie?
Amazon Macie is a data security service that uses ML to automatically discover, classify, and protect sensitive data stored in Amazon S3. Macie recognizes sensitive data types such as PII (names, addresses, credit card numbers, SSNs), financial data, and credentials. It provides an inventory of S3 buckets with their public accessibility and encryption status, and generates findings for policy violations and sensitive data discoveries that integrate with Security Hub and EventBridge.
Q58. What is Amazon Rekognition?
Amazon Rekognition is a cloud-based computer vision service that makes it easy to add image and video analysis to your applications. Rekognition can detect objects, scenes, activities, text, faces, and celebrities in images and videos; it can also compare faces for verification and search faces in collections. Rekognition Video analyzes video stored in S3 or streaming video from Kinesis Video Streams for activities and person tracking.
Q59. What is Amazon Lex?
Amazon Lex is a fully managed AI service for building conversational interfaces (chatbots and virtual agents) using voice and text. Lex provides advanced natural language understanding (NLU) and automatic speech recognition (ASR) technologies—the same technology that powers Amazon Alexa. It supports intents, slots, slot types, and fulfillment via Lambda functions; integrates with Connect (contact center), Kendra (knowledge base), and Polly (text-to-speech).
Q60. What is AWS Fargate?
AWS Fargate is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS, removing the need to provision and manage servers. With Fargate, you specify resource requirements (vCPU and memory) at the task or pod level, and AWS manages the underlying compute infrastructure. Fargate provides task-level isolation, integrates with VPC networking and IAM for security, and bills per vCPU and memory consumed per second.
Q61. What is Amazon SES?
Amazon Simple Email Service (SES) is a cost-effective, flexible, and scalable email service for sending transactional, marketing, and bulk emails. SES supports SMTP interface, API, and SDKs for email sending; features include email delivery metrics (delivery rate, bounce, complaints), suppression list management, virtual Deliverability Manager, and configuration sets for tracking. SES also supports email receiving with rules for processing incoming mail.
Q62. What is AWS Secrets Manager?
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources by securely storing, rotating, managing, and retrieving credentials, API keys, and other secrets. Secrets Manager supports automatic rotation for supported services (RDS, Redshift, DocumentDB, other databases) using Lambda functions, eliminating hard-coded credentials. Secrets are encrypted using KMS and accessed via SDK/CLI/console with fine-grained IAM control.
Q63. What is AWS Systems Manager?
AWS Systems Manager (SSM) is an operations hub for managing applications and infrastructure running in the AWS Cloud and on-premises environments. SSM capabilities include Parameter Store (secure hierarchical storage for configuration data), Session Manager (secure shell access without SSH keys or bastion hosts), Patch Manager (automated patching), Run Command (remote command execution), and OpsCenter (aggregated operational issue view).
Q64. What is Amazon SWF?
Amazon Simple Workflow Service (SWF) is a web service that makes it easy to coordinate work across distributed application components. SWF manages state and flow of work across tasks and allows you to write coordination logic separately from activity logic. While SWF is still available, AWS now recommends Step Functions for new workflow orchestration use cases. SWF guarantees task assignment, tracks progress, and stores task results for up to one year.
Q65. What is Amazon WorkSpaces?
Amazon WorkSpaces is a fully managed, persistent desktop virtualization service that enables users to access data, applications, and resources they need from any device, anywhere. WorkSpaces runs on Amazon's global infrastructure and supports Windows and Linux desktops, with options for personal desktops (dedicated) or shared pools. WorkSpaces Secure Browser and Thin Client extend the portfolio for secure web browsing and lightweight virtual desktop scenarios.
Q66. What is AWS Backup?
AWS Backup is a fully managed, policy-based service that centralizes and automates data protection across AWS services. Backup policies (plans) define backup frequency, retention periods, lifecycle rules (transition to cold storage), and backup vault destinations. Supported services include EC2, EBS, RDS, Aurora, DynamoDB, EFS, FSx, Storage Gateway, VMware workloads, and Timestream. AWS Backup Audit Manager provides compliance reporting.
Q67. What is Amazon Elastic MapReduce (EMR)?
Amazon EMR is the industry-leading cloud big data solution for petabyte-scale data processing, interactive analytics, and ML using open-source frameworks like Apache Spark, Hive, Presto, HBase, Flink, and Hadoop. EMR automatically provisions and scales EC2 capacity; clusters can run on EC2 or EKS, or use EMR Serverless for automatic resource management. Use cases include ETL, log analysis, machine learning, real-time streaming, and genomics.
Q68. What is AWS DataSync?
AWS DataSync is an online data movement and discovery service that simplifies and accelerates migrations to AWS as well as moving data between on-premises and AWS storage. DataSync automates data movement between NFS, SMB, HDFS, self-managed object storage, and AWS storage (S3, EFS, FSx). It uses a purpose-built network protocol to transfer up to 10 Gbps, with built-in data integrity verification, encryption in transit, and bandwidth throttling.
Q69. What is Amazon OpenSearch Service?
Amazon OpenSearch Service (formerly Elasticsearch Service) makes it easy to deploy, operate, and scale OpenSearch clusters for log analytics, real-time application monitoring, and clickstream analysis. OpenSearch Service supports OpenSearch and legacy Elasticsearch APIs; UltraWarm provides cost-effective storage for hot/warm tiering; cold storage and Serverless options provide further cost optimization. It integrates with Kinesis Data Firehose, CloudWatch Logs, and DMS for data ingestion.
Q70. What is Amazon Timestream?
Amazon Timestream is a fast, scalable, and serverless time series database service for IoT and operational applications. Timestream automatically scales up or down to adjust capacity and performance, with recent data in memory and historical data in a cost-optimized magnetic tier. It offers built-in time series analytics functions (smoothing, approximation, interpolation) and integrates with IoT Core, Kinesis, Telegraf, and Grafana for visualization.
Q71. What is AWS Organizations?
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Organizations lets you create accounts, group them into organizational units (OUs), and apply Service Control Policies (SCPs) to restrict what services and actions can be used in member accounts. It enables consolidated billing across all accounts, centralized security controls, and delegated administrator for services like Security Hub, GuardDuty, and Config.
Q72. What is AWS Control Tower?
AWS Control Tower is the easiest way to set up and govern a secure, multi-account AWS environment based on AWS best practices. Control Tower automates the setup of a landing zone with pre-configured security baseline accounts (management, log archive, audit), organizational units, and preventive and detective guardrails. Guardrails are SCPs (preventive) or Config rules (detective/proactive) that enforce governance policies across the organization.
Q73. What is Amazon QuickSight?
Amazon QuickSight is a fast, cloud-native, serverless business intelligence (BI) service that makes it easy to deliver insights to everyone in your organization. QuickSight connects to AWS data services (S3, Redshift, Athena, RDS, Aurora), databases, SaaS applications, and third-party files. SPICE (Super-fast, Parallel, In-memory Calculation Engine) enables rapid query responses; Q enables natural language queries (NLQ); Pixel-perfect reports support operational reporting.
Q74. What is Amazon AppFlow?
Amazon AppFlow is a fully managed integration service that enables secure data transfer between AWS services and SaaS applications such as Salesforce, SAP, Zendesk, Slack, ServiceNow, and Marketo. AppFlow supports bidirectional data transfer with data transformation capabilities (masking, filtering, merging, validating) and runs on a fully managed, serverless infrastructure. It eliminates custom connector development and reduces integration time from weeks to minutes.
Q75. What is Amazon Lightsail?
Amazon Lightsail is the easiest way to get started with AWS for developers who need a simple cloud platform for low-complexity applications and websites. Lightsail provides virtual servers, storage, databases, and networking as easy-to-understand bundled plans at predictable monthly pricing. It includes pre-configured application stacks (WordPress, LAMP, Node.js, Magento) and management features (snapshots, monitoring, DNS) with a simplified console suitable for beginners.
Q76. What is the AWS Well-Architected Framework?
The AWS Well-Architected Framework describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. It is organized around six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. The Well-Architected Tool in the console allows you to review workloads against the framework's questions and get improvement recommendations.
Q77. What is Amazon MSK?
Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. MSK manages the provisioning, configuration, and maintenance of Kafka clusters, including patching, replication, and automatic recovery from broker failures. MSK Serverless automatically provisions and scales capacity; MSK Connect enables managed Kafka Connect deployments for data integration.
Q78. What is AWS Lake Formation?
AWS Lake Formation is a service that makes it easy to set up, secure, and manage your data lake. Lake Formation simplifies data ingestion (from databases, S3) into the lake, applies ML-powered transformations with Blueprints, and enforces fine-grained access control (row-level, column-level security) using LF-Tags. It integrates with Glue Data Catalog, Athena, Redshift Spectrum, EMR, and QuickSight for a governed analytics ecosystem.
Q79. What is Amazon WorkMail?
Amazon WorkMail is a secure, managed business email and calendar service with support for existing desktop and mobile email client applications. WorkMail supports Microsoft Outlook on Windows and macOS, iOS and Android mail clients, and any IMAP-compatible email clients. It provides message journaling, email flow rules, mobile device management policies, and integration with WorkDocs and WorkSpaces for a complete managed workplace solution.
Q80. What is AWS Artifact?
AWS Artifact is your go-to central resource for compliance-related information about AWS services. Artifact provides on-demand access to AWS security and compliance reports (SOC 1, SOC 2, SOC 3, PCI DSS, ISO 27001, ISO 9001, FedRAMP, HIPAA eligibility, GDPR DPA) and online agreements (Business Associate Addendum for HIPAA, GDPR DPA). Reports are automatically kept up-to-date and can be shared with auditors and regulators.
Intermediate Questions (81-150)
Q81. Explain EC2 instance metadata and user data.
EC2 instance metadata is data about your instance that you can access from within the running instance at the URL http://169.254.169.254/latest/meta-data/. Metadata includes instance ID, AMI ID, instance type, security groups, public/private IP, and IAM role credentials. Instance user data is provided at launch (up to 16 KB) and is accessible at http://169.254.169.254/latest/user-data/; it runs as root at instance startup for bootstrapping (installing software, configuring services). IMDSv2 requires session-oriented requests for enhanced security against SSRF attacks.
Q82. How does S3 versioning work?
S3 versioning preserves, retrieves, and restores every version of every object stored in a bucket. When versioning is enabled, every overwrite or delete creates a new version rather than replacing or deleting the object; deletions result in a delete marker being added, not actual removal. Versioning cannot be disabled once enabled—only suspended. MFA Delete requires MFA authentication to permanently delete object versions or change versioning state, providing an additional security layer.
Q83. What are S3 lifecycle policies?
S3 lifecycle policies automate the transition of objects between storage classes and the expiration (deletion) of objects based on age or other criteria. Transition actions move objects from Standard to Standard-IA (minimum 30 days), then to Glacier Flexible Retrieval (minimum 90 days total), then to Glacier Deep Archive; expiration actions permanently delete objects or delete expired delete markers. Lifecycle rules can filter by prefix, object tags, or object size to apply policies to subsets of objects.
Q84. Explain IAM policies: identity-based vs. resource-based.
Identity-based policies are JSON documents attached to IAM identities (users, groups, roles) that grant or deny permissions to perform actions on resources. Resource-based policies are JSON documents attached to resources (S3 buckets, SQS queues, KMS keys, Lambda functions) that specify who (principals) can access the resource. When both exist, the effective permissions are the union, unless there is an explicit Deny. Resource-based policies also enable cross-account access without assuming a role.
Q85. What is an IAM role and when would you use it?
An IAM role is an IAM identity with specific permissions that can be assumed by trusted entities—AWS services, IAM users in the same or different account, or web identity/SAML federated identities. Roles do not have permanent credentials; assuming a role provides temporary security credentials (via STS). Common uses: EC2 instance profile for S3/DynamoDB access (no hardcoded credentials), Lambda execution role, cross-account access, and federated identity for employees accessing AWS via corporate SSO.
Q86. What are VPC Security Groups vs. Network ACLs?
Security Groups are stateful virtual firewalls at the instance/ENI level—return traffic for allowed inbound traffic is automatically allowed outbound regardless of outbound rules. Network ACLs are stateless firewalls at the subnet level—you must explicitly allow both inbound and outbound traffic for each direction. Security Groups support only Allow rules (implicit deny); NACLs support both Allow and Deny rules evaluated in numbered order. Security Groups are the first line of defense for instance-level control; NACLs provide subnet-level control.
Q87. Explain the difference between horizontal and vertical scaling on AWS.
Vertical scaling (scale up) increases the size of an instance (more CPU, RAM, storage) by stopping the instance, changing the instance type, and restarting—causing downtime and having physical limits. Horizontal scaling (scale out) adds more instances to distribute load, achieved automatically with Auto Scaling Groups and load balancers—no downtime and virtually unlimited scale. AWS architecture best practices favor horizontal scaling for stateless applications to achieve elastic, fault-tolerant designs.
Q88. What is RDS Multi-AZ vs. Read Replica?
RDS Multi-AZ creates a synchronous standby replica in a different AZ for high availability and automatic failover (typically 60-120 seconds)—the standby is not accessible for reads. Read Replicas use asynchronous replication and can be read by application read traffic to offload the primary instance; they support cross-region replication and can be promoted to standalone DB instances. Multi-AZ is for durability/availability; Read Replicas are for read scalability. Aurora uses a different shared storage model achieving both benefits natively.
Q89. How does DynamoDB achieve single-digit millisecond performance?
DynamoDB achieves single-digit millisecond performance through its distributed, SSD-backed storage architecture, consistent hashing for partition key distribution across storage nodes, and in-memory buffering of writes. All data is automatically replicated across three AZs synchronously before acknowledging writes. Provisioned throughput (RCUs/WCUs) reserves capacity on nodes for predictable performance; DynamoDB Accelerator (DAX) is an in-memory cache delivering microsecond response times for read-heavy workloads.
Q90. Explain Lambda cold start and mitigation strategies.
A Lambda cold start occurs when a new execution environment is initialized for a function invocation—AWS must allocate infrastructure, start the runtime, and execute initialization code outside the handler. Cold starts typically add 100ms-1s latency depending on runtime (Java/C# are worse) and package size. Mitigation strategies include: Provisioned Concurrency (pre-initialized environments ready to respond), keeping functions warm with scheduled pings, minimizing deployment package size, avoiding VPC if possible (or using VPC lattice with hyperplane ENIs), and using interpreted runtimes (Python, Node.js) for latency-sensitive functions.
Q91. What are CloudFormation nested stacks and why use them?
CloudFormation nested stacks are stacks created within another CloudFormation stack using the AWS::CloudFormation::Stack resource type, referencing a child template URL in S3. Nested stacks allow decomposition of complex architectures into reusable, manageable components—a root stack orchestrates VPC, security, application, and database child stacks. Cross-stack references via Outputs/ImportValue allow sharing resource ARNs between stacks. Nested stacks help overcome the 500-resource limit per stack and enable team-based template ownership.
Q92. How does CloudFront caching work and how do you invalidate cache?
CloudFront caches content at edge locations based on cache behaviors defined by path patterns. Cache behavior settings control TTL (minimum, default, maximum), query string forwarding, header/cookie forwarding, and compression. Origin Cache-Control and Expires headers control caching; CloudFront respects these or uses configured TTL overrides. Cache invalidation submits an invalidation request specifying paths (/* for all) to remove objects before TTL expiration—first 1,000 invalidation paths per month are free. Versioned URLs (appending version to filenames) are preferred over invalidations for cost efficiency.
Q93. Explain AWS Auto Scaling policies: Target Tracking vs. Step Scaling.
Target Tracking scaling maintains a specified metric at a target value (e.g., keep CPU at 50%)—AWS automatically creates and manages CloudWatch alarms and adjusts capacity to keep the metric at the target. Step Scaling uses CloudWatch alarms and defines scaling adjustments based on the breach size (alarm threshold + adjustment steps); as the metric deviates further from threshold, larger adjustments are applied. Target Tracking is simpler and recommended for most cases; Step Scaling provides more granular control for complex scaling needs.
Q94. What is an Application Load Balancer listener rule?
ALB listener rules define conditions and actions that determine how the ALB routes requests received by the listener. Rule conditions include host-based routing (route api.example.com to one target group, app.example.com to another), path-based routing (/api/* to backend, /* to frontend), HTTP method, query string, source IP, and HTTP headers. Rule actions include forward (to target group or weighted group), redirect (301/302 with configurable URL), and fixed-response (return static response without forwarding). Rules are evaluated in priority order.
Q95. What is VPC Flow Logs?
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. Flow logs can be published to CloudWatch Logs or S3; they can be created at VPC, subnet, or ENI level. Each flow log record includes source/destination IP, source/destination port, protocol, packet count, byte count, start/end time, and ACCEPT/REJECT action based on security group and NACL decisions. Flow logs are essential for network troubleshooting, security analysis, and compliance auditing.
Q96. How does AWS STS (Security Token Service) work?
AWS Security Token Service (STS) issues temporary, limited-privilege credentials for IAM users or federated users. STS operations include AssumeRole (for role switching and cross-account access), AssumeRoleWithWebIdentity (for OpenID Connect identity providers like Google, Cognito), AssumeRoleWithSAML (for SAML 2.0 federation), GetFederationToken, and GetSessionToken (for MFA-protected API calls). Temporary credentials include access key ID, secret access key, and session token, expiring in 15 minutes to 12 hours.
Q97. Explain S3 Transfer Acceleration.
Amazon S3 Transfer Acceleration uses CloudFront's globally distributed edge locations to accelerate uploads to S3 over long distances. Clients upload to the nearest CloudFront edge location using an accelerated endpoint (bucket.s3-accelerate.amazonaws.com); data is then transferred over AWS's optimized network backbone to the S3 bucket. Transfer Acceleration is beneficial when uploading from geographically distant clients; the Speed Comparison tool lets you test whether acceleration provides a speed benefit before enabling.
Q98. What is AWS Global Accelerator?
AWS Global Accelerator is a networking service that improves the availability and performance of applications for global users by routing traffic through AWS's global network infrastructure rather than the public internet. Global Accelerator provides two static Anycast IP addresses as a fixed entry point; traffic is directed to the optimal regional AWS endpoint (ALB, NLB, EC2) based on health, geography, and routing policies. Unlike CloudFront (cache-based CDN), Global Accelerator is suited for non-cacheable content, gaming, IoT, and dynamic applications requiring consistent performance.
Q99. What are DynamoDB Global Tables?
DynamoDB Global Tables provide a fully managed, multi-region, multi-active replication solution enabling reading and writing to any replica table in any selected AWS region. Global Tables use last-writer-wins reconciliation for concurrent writes and typically achieve sub-second replication between regions. Use cases include globally distributed applications requiring low-latency local reads and writes, disaster recovery, and regional data sovereignty compliance. Version 2019.11.21 (current) supports adding replicas without table re-creation and uses on-demand/provisioned billing.
Q100. Explain Amazon ECS task definition components.
An ECS task definition is a JSON blueprint describing application containers. Key components include: container definitions (Docker image, CPU/memory, port mappings, environment variables, secrets from Secrets Manager/SSM), task-level CPU and memory (for Fargate), task IAM role (permissions for containers), execution role (ECS agent permissions to pull images and write logs), network mode (awsvpc for Fargate, bridge/host for EC2), volumes (EFS mounts, bind mounts), and logging configuration (awslogs driver for CloudWatch). Task definitions are versioned; services reference specific revisions.
Q101. What is AWS X-Ray?
AWS X-Ray helps developers analyze and debug distributed applications in production or in development, such as microservices architectures. X-Ray collects data about requests that your application serves and provides tools for viewing, filtering, and gaining insights into that data to identify issues and optimization opportunities. X-Ray traces show the path of a request through your application with segments, subsegments, and annotations; the service map visualizes dependencies and response time distributions.
Q102. What is Amazon EventBridge vs. SNS vs. SQS?
SNS is a pub/sub service for fan-out scenarios where one message goes to multiple subscribers (push model)—great for notifications and parallel processing. SQS is a message queue for decoupling producers and consumers with buffering (pull model)—ideal for load leveling and ensuring messages are processed. EventBridge is an event router with rich filtering and routing based on event patterns, supporting 200+ AWS services and SaaS sources—ideal for event-driven architectures. Often combined: EventBridge routes events to SNS (fan-out) and SQS (buffering) for complementary functions.
Q103. How does AWS cost allocation work with tags?
AWS cost allocation tags allow you to assign metadata (key-value pairs) to AWS resources, enabling cost tracking by project, team, environment, or cost center in Cost Explorer and AWS Cost and Usage Reports. Tags must be activated in the Billing console as cost allocation tags; AWS-generated tags (aws:createdBy) are also available. Combined with AWS Budgets (budget alerts and actions), Cost Anomaly Detection (ML-based spending anomalies), and Savings Plans coverage reports, tagging enables granular FinOps practices.
Q104. Explain the differences between S3 storage classes.
S3 Standard offers 99.99% availability and 11 nines durability for frequently accessed data with no retrieval fee. Standard-IA (Infrequent Access) has a lower storage price but per-GB retrieval fee—suitable for data accessed monthly. One Zone-IA stores in a single AZ (20% cheaper) for reproducible data. Intelligent-Tiering automatically moves objects between access tiers based on usage patterns without retrieval fees. Glacier Instant Retrieval offers archive pricing with millisecond access; Glacier Flexible Retrieval and Deep Archive provide lowest-cost storage for rarely accessed compliance archives with hour-scale retrieval.
Q105. What is CloudWatch Logs Insights?
CloudWatch Logs Insights is an interactive, pay-per-query log analytics service enabling you to search, analyze, and visualize log data using a purpose-built query language. Queries support filtering (filter @message like /ERROR/), aggregation (stats count(*) by bin(5m)), sorting, limiting, and parsing structured/unstructured log formats. Query results can be added to CloudWatch dashboards; Contributor Insights analyzes log patterns to identify top contributors to operational metrics. Insights automatically discovers log fields in JSON and common log formats.
Q106. What is Amazon EKS Fargate profile?
An EKS Fargate profile defines which pods run on AWS Fargate by specifying namespace and label selectors—matching pods are scheduled on Fargate without managing EC2 nodes. Fargate for EKS provides right-sized, isolated compute per pod with vCPU and memory configuration at the pod level. Limitations include no support for DaemonSets, stateful workloads requiring local storage, privileged containers, or custom AMIs; each Fargate pod gets an ENI and runs in a dedicated micro-VM for security isolation.
Q107. Explain AWS WAF rate-based rules.
AWS WAF rate-based rules automatically block IP addresses that send requests at a rate exceeding a defined threshold (minimum 100 requests per 5-minute window) to protect against DDoS attacks and brute-force login attempts. Rate limits can be applied per IP or per forwarded-IP (when behind a proxy); rate-based rules can include scope-down statements to count only requests matching specific conditions (path, header). Once the rate drops below the threshold, the block is automatically lifted after the evaluation period.
Q108. What is AWS CodeArtifact?
AWS CodeArtifact is a fully managed artifact repository service that makes it easy to securely store, publish, and share software packages used in development. CodeArtifact supports npm, PyPI, Maven, Gradle, NuGet, Swift, and generic package formats. Upstream repositories allow pulling packages from public repositories (npmjs.com, PyPI, Maven Central) through CodeArtifact, caching packages locally; domain-level sharing allows multiple repositories across accounts to share packages with consistent IAM controls.
Q109. How does Amazon Route 53 health checking work?
Route 53 health checkers are located around the world and send requests to your endpoints at the interval you specify (default 30 seconds, fast 10 seconds). Health checks monitor endpoints (HTTP, HTTPS, TCP), other health checks (calculated health checks combining multiple child checks), and CloudWatch alarms. DNS failover routing policies use health check status to route traffic—active-active (multiple healthy records), active-passive (primary route with failover to secondary when primary is unhealthy), and private hosted zone health checks using CloudWatch alarms.
Q110. What is AWS PrivateLink?
AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications without exposing traffic to the public internet. PrivateLink uses Interface VPC Endpoints—ENIs with private IP addresses in your VPC that serve as entry points for traffic destined to supported AWS services. Endpoint services allow you to expose your own service to other VPCs/accounts via PrivateLink, enabling private SaaS delivery. PrivateLink avoids bandwidth constraints and security exposure of VPC peering and transit gateway for service-specific connectivity.
Q111. What is S3 Object Lock?
S3 Object Lock prevents objects from being deleted or overwritten for a fixed amount of time or indefinitely, meeting regulatory requirements for WORM (Write Once, Read Many) storage. Retention modes include Governance (authorized users can override) and Compliance (no one, including root, can delete/overwrite until retention expires). Legal Hold places an indefinite lock on individual object versions regardless of retention period. Object Lock requires versioning-enabled buckets and must be enabled at bucket creation.
Q112. Explain DynamoDB partition key design best practices.
Effective DynamoDB partition key design maximizes data distribution across partitions to avoid hot partitions (throttling). Best practices include using high-cardinality attributes (user IDs, UUIDs), adding a random suffix/prefix for write-heavy uniform distribution (write sharding), using composite keys (partition key + sort key) for hierarchical data models, and prefixing partition keys with the data type for single-table design. Avoid low-cardinality keys (status flags), sequential IDs (monotonically increasing creates hot partitions), and business-meaningful keys that might have uneven distribution.
Q113. What is Amazon Cognito user pool vs. identity pool?
Cognito User Pools are user directories that handle user registration, authentication (username/password, social/SAML/OIDC federation), MFA, account recovery, and email/phone verification—returning JWT tokens (ID, access, refresh) after authentication. Cognito Identity Pools (Federated Identities) exchange authenticated identities (from User Pools, social providers, SAML, developer-authenticated) for temporary AWS credentials via STS, enabling direct AWS service access from client apps. They are complementary: User Pools authenticate users; Identity Pools authorize AWS resource access.
Q114. How does VPC peering affect DNS resolution?
By default, DNS hostnames and DNS resolution for resources in a peered VPC are resolved using each VPC's local DNS. To enable resolution of private DNS hostnames across a peering connection, you must enable DNS resolution support for the peering connection in both VPCs—this allows instances in one VPC to resolve private DNS hostnames of instances in the peered VPC to private IP addresses. Route 53 Resolver endpoints (inbound/outbound) handle DNS resolution for hybrid environments with on-premises DNS servers.
Q115. What is Amazon MSK connect?
Amazon MSK Connect is a feature of Amazon MSK that makes it easy to run fully managed Apache Kafka Connect workloads on AWS. MSK Connect automatically scales resources for Kafka Connect workers and enables use of community-built or custom connectors to stream data between Apache Kafka and external systems (databases, S3, Elasticsearch/OpenSearch, Salesforce). Connector plugins are stored in S3; MSK Connect monitors connector health and restarts failed tasks automatically without operational overhead.
Q116. What is the difference between AWS Secrets Manager and SSM Parameter Store?
Both store sensitive configuration data, but differ in features and cost. Secrets Manager costs $0.40/secret/month and provides native automatic rotation for supported databases, cross-account sharing, and resource-based policies. SSM Parameter Store has a free tier for standard parameters and $0.05/10,000 API interactions for advanced parameters; supports hierarchical parameter paths and versioning but requires custom Lambda functions for rotation. Use Secrets Manager for database credentials requiring rotation; Parameter Store for configuration data, feature flags, and non-sensitive values.
Q117. What is Amazon Kinesis Data Streams vs. Kinesis Data Firehose?
Kinesis Data Streams (KDS) is a real-time, ordered streaming service with configurable retention (1-365 days) where you manage consumers (custom applications using KCL or SDK, Lambda, Kinesis Data Analytics). KDS requires managing shard count (each shard: 1 MB/s write, 2 MB/s read) or using on-demand mode. Kinesis Data Firehose is fully managed with no consumer management—it buffers, transforms, and delivers data directly to S3, Redshift, OpenSearch, Splunk, or HTTP endpoints without writing consumer code. KDS is for real-time custom processing; Firehose is for simple reliable delivery to storage/analytics.
Q118. Explain AWS IAM Permission Boundaries.
IAM Permission Boundaries are managed policies attached to IAM entities (users/roles) that set the maximum permissions the entity can have—they define the boundary beyond which no policy can grant permissions. Even if an identity-based policy grants broader permissions, the effective permissions are limited to the intersection of the identity policy and the permission boundary. Boundaries are used to delegate permission management safely—developers can create roles for their applications but cannot grant permissions outside the boundary set by administrators.
Q119. What is Amazon WorkDocs?
Amazon WorkDocs is a fully managed, secure content creation, storage, and collaboration service. WorkDocs supports real-time document collaboration, version control, commenting, feedback workflows, and cross-platform access (web, desktop, mobile). The WorkDocs SDK enables developers to build custom applications and integrations; WorkDocs Drive mounts WorkDocs as a local drive. WorkDocs integrates with WorkSpaces, Active Directory, and supports SharePoint migration and SSO via IAM Identity Center.
Q120. How does Amazon SQS visibility timeout work?
When a consumer receives an SQS message, the message becomes invisible to other consumers for the visibility timeout period (default 30 seconds, max 12 hours). If the consumer processes and deletes the message before timeout, processing completes successfully. If the consumer fails or crashes, the message reappears in the queue after the timeout for reprocessing. Consumers can extend visibility timeout for long processing tasks using ChangeMessageVisibility. Dead-letter queues (DLQ) capture messages that fail after the maxReceiveCount threshold, isolating poison pill messages.
Q121. What is Amazon Elastic Transcoder vs. AWS Elemental MediaConvert?
Amazon Elastic Transcoder is an older, simpler media transcoding service for converting video files stored in S3 to formats playable on various devices; it's still available but AWS recommends MediaConvert for new projects. AWS Elemental MediaConvert is a file-based video transcoding service supporting a broader range of input/output formats, advanced encoding features (HDR, Dolby Vision, Dolby Atmos), captions processing, DRM, and ad insertion. MediaConvert provides better performance, more features, and is the recommended choice for professional broadcast and OTT workflows.
Q122. What is Amazon Textract?
Amazon Textract is a machine learning service that automatically extracts text and data from scanned documents, going beyond simple OCR to identify the contents of fields in forms and information stored in tables. Textract returns extracted text, form key-value pairs, table structures, and confidence scores; Queries API allows targeted extraction of specific information. Textract integrates with Augmented AI (A2I) for human review of low-confidence extractions and with Comprehend for NLP analysis of extracted text.
Q123. Explain AWS Glue Data Catalog.
The AWS Glue Data Catalog is a central metadata repository for all your data assets across your organization, compatible with the Apache Hive Metastore API. The catalog stores table definitions, schemas (column names and types), partition information, and data location for structured and semi-structured data in S3, JDBC databases, and other stores. Glue crawlers automatically populate the catalog by scanning data sources and inferring schemas; the catalog is used by Athena, Redshift Spectrum, EMR, and Glue ETL jobs as their metastore.
Q124. What is CloudFormation drift detection?
CloudFormation drift detection identifies differences between the expected stack resource configuration (defined in the template) and the actual configuration of the live resources (which may have been modified outside CloudFormation). Drift detection compares each resource's expected properties against its actual properties and reports resources as IN_SYNC, MODIFIED, DELETED, or NOT_CHECKED. Drift detection helps enforce infrastructure-as-code discipline and identify unauthorized or accidental manual changes that could cause stack update failures.
Q125. What is Amazon Comprehend?
Amazon Comprehend is a natural language processing (NLP) service that uses ML to find insights and relationships in text. Comprehend can identify the language of the text, extract key phrases and named entities (persons, organizations, locations, dates), determine sentiment (positive, negative, neutral, mixed), and classify documents into custom categories. Comprehend Medical specializes in clinical text—extracting medical entities, medications, diagnoses, and PHI. Comprehend Custom enables training custom entity recognition and classification models.
Q126. How does Amazon EBS snapshot work and what is EBS fast snapshot restore?
EBS snapshots are incremental backups stored in S3—the first snapshot copies all data, subsequent snapshots store only changed blocks since the last snapshot. Snapshots can be copied across regions, shared with other accounts, and used to create new EBS volumes or AMIs. EBS Fast Snapshot Restore (FSR) eliminates the latency of I/O operations on a volume initialized from a snapshot (lazy loading phenomenon), enabling full performance immediately. FSR can be enabled per snapshot per AZ; it incurs additional charges per enabled AZ-hour.
Q127. What is AWS Config and how does it differ from CloudTrail?
AWS Config provides a detailed inventory of your AWS resources and records configuration changes over time, evaluating resources against desired configurations using Config Rules. Config answers the question "What did my AWS resource look like at time X?" and "Is this resource compliant with my policies?" CloudTrail records API call history answering "Who made what API call when?" Config Rules use managed rules (pre-built) or custom Lambda functions to detect non-compliant resources; remediation actions can automatically correct violations.
Q128. What is Amazon ECS Service Discovery?
ECS Service Discovery uses AWS Cloud Map to automatically register ECS tasks with DNS or Cloud Map service registry, enabling services to discover each other by name rather than hardcoded IPs. When tasks launch, ECS automatically creates DNS records (A records for awsvpc network mode) in a Route 53 private hosted zone; health checking removes unhealthy tasks from the registry. Service Connect (newer) provides simpler service-to-service communication with built-in load balancing and observability through CloudWatch metrics without managing Cloud Map directly.
Q129. Explain AWS Cost Explorer vs. AWS Budgets.
AWS Cost Explorer is a visualization tool for analyzing historical AWS spending and usage patterns—it provides pre-built reports, custom report creation with filters/grouping, Cost Explorer API for programmatic access, and Rightsizing Recommendations for underutilized EC2/RDS. AWS Budgets enables proactive cost control by setting custom thresholds on cost, usage, RI coverage, RI utilization, Savings Plans coverage, and triggering alerts (email, SNS) or automated actions (apply SCPs, apply IAM policies, stop EC2/RDS instances) when thresholds are breached. Use Cost Explorer for analysis; Budgets for governance.