Top AWS DevOps interview questions for experienced DevOps

As an experienced AWS DevOps engineer with hands-on expertise, the questions posed to you on a AWS DevOps interview will differ from those posed to a junior candidate. However, it’s important to note that interviews encompass a range of questions to gauge skills and expertise. While advanced queries are expected, easy questions are not uncommon in the interview process.

The questions encompass different domains, including:

  1. IAM (Identity and Access Management)
  2. Amazon EC2 (Elastic Compute Cloud)
  3. Amazon RDS (Relational Database Service)
  4. Multi-Account considerations

What are the most common AWS DevOps interview questions?

AWS IAM Questions

1. What is the “root” user in an AWS Account?

The primary user account established during the initial setup of an AWS account is known as the root user. This account possesses full control over all resources and services within the AWS account. The root user is the principal individual responsible for creating and opening the AWS account, and they also can close the AWS account.

2. Should we use “root” user for our daily operations?

No, use of “root” is discouraged. It is a best practice to create new users and assign the right permissions. It is advisable to generate new IAM users with precise permissions tailored for particular tasks, enhancing overall security and control within the AWS environment.

3. How can we monitor the “root” user activity?

The interviewer is trying to judge your experience with AWS services with this question.

For monitoring the activities of the “root” user, AWS CloudTrail can be utilized to log information into a CloudWatch logs group. Subsequently, a metric filter can be configured within the logs group to initiate a notification via Amazon SES (Simple Email Service) to an SNS (Simple Notification Service) Topic. CloudTrail is employed to write logs to the CloudWatch logs group, enabling the configuration of a metric filter that triggers an SES notification to the designated SNS Topic.

The metric filter, implemented in JSON (JavaScript Object Notation), activates upon detecting a “root” login.

4. How should we secure the root account?

This question tests your knowledge on the basic AWS security. There are few things you need to do to secure the root account:

  1. Enforce MFA (Multi-factor authentication)
  2. Enforce Strong password
  3. Use a Hardware MFA and discourse virtual MFA
  4. Create a procedure to access the root account and document it. This document should provide a step-by-step guide for obtaining access to the root account. 
  5. Monitor the logins/failed access and activity of the root account.

Following IAM best practices are key in operating a safe account.

5. What is AWS CIS benchmark?

CIS (Center for Internet Security) benchmark is a set of guidelines released every year on how to improve the secure posture of AWS accounts. We can use automation tools such as Terraform and CloudFormation to enforce these rules.

6. Some developers want to access the resources in an account; how can I grant access to them from their local computer?

We can use AWS-SSO  (single sign-on service) to create temporary credentials. Access Key and Secrets should be avoided as they are persistent and can be exposed. Access and Secret keys may be used if AWS SSO is disabled, but only with the assumed role policy. Developers will assume a role with stronger permissions. 

7. An application running on EC2 needs to access the S3 bucket; the application just needs read permission. How do you grant them access?

We can use EC2 Instance profile to access resources without the need of Access keys. An IAM Policy with read permission will be assigned so only read operations can be executed.

Note: The EC2 Instance profile is highly important as it shows you are following the best practice!

8. Multiple developers who like to have admin permission but as an organization we do not allow certain actions such as creating expensive EC2 instance, what solution to propose?

We can either use Permission boundary  or SCP Policy with a deny action preventing expensive EC2 instance types.

9. We have many accounts and we are operating under AWS Organization, how can we enforce preventive measures at the account level?

AWS Organization offers SCP (Service Control Policies). SCP allows us to define JSON policy which prevents certain actions from taking place, such as deny RDS creation etc.

10. A developer is complaining that their role is not working as expected. How can you help in this situation?

Recommend viewing the IAM Policy attached to their role and use IAM Policy simulator 

AWS EC2 Questions

11. What’s the best practice in installing software on an EC2 instance?

When installing software on an EC2 instance, the following are recommended practices:

  1. Utilizing cloud-init during instance launch: As part of the instance launch procedure, install and configure the software using cloud-init, a cloud instance initialization approach.
  2. Image baking with Packer: Make specialized images using Packer that contain the installed applications and operating system. To verify compliance with security, launch instances from these images.

12. How to connect to an EC2 server?

We can use Session Manager because it doesn’t needs SSH Keys. We can also utilise VPC endpoint to be more secure and have instances without a public IP.

Note: This question comes out very often in an AWS DevOps interview as usage of public-private key is not cloud a flag of not being updated with cloud capability.

13. Can we increase the storage volume on a running instance?

Yes, we can. However, it needs to be considered that increasing cloud storage volume is usually a poor design. There is an EFS (Elastic File System) type of storage, which has a limit of 47.9 TB (terabytes).

14. If we a stop an instance, what are we being charged for?

The volume and public IP.

15. How to be sure that my EC2 instance is not open to public?

Security groups are used for this purpose. Security group rules decide which IP address can access a port. Security group and Network ACL both play a role. Firewall configuration on the actual instance can also determine whether the instance is publicly accessible or not.

16. An application needs to be deployed to an EC2 instance. We like to use AWS services only. Please explain how we can deliver this pipeline.

We can utilise CodePipeline, CodeBuild and CodeDeploy. The key service over-here is CodeDeploy which deploys the code to the server.

17. We have a steady load on our servers, and the finance team has asked us to investigate ways we can reduce costs. As an architect, what is the easiest cost-reduction way you recommend?

Reserved instances are the way to go. We can buy an instance for a lower rate for a year or three-year period. If the situation changes and our loads increase, we can use on-demand or spot instances. The use of spot-instance depends on the application architecture.

18. Our application writes data into a log file, since we do not have access to the instances how can the engineers obtain access to these log files for debugging purpose?

CloudWatch agent installed on the instance can write the logs to a log watch log group. We can customize the agent configuration file to read certain log files. CloudWatch offers Insight which supports query filtering on the log file. In this case, there is no need to access the server, and servers without an internet connection can still write their logs to the log watch group.

19. Due to new IT security requirements all activity on an instance needs to be logged and when an engineer accesses a server, a notification needs to be sent to a group. How can this be achieved?

We can use Session Manager logging, where all commands executed on the server are logged. To be notified when someone has accessed a server, we can configure the EventBridge rule to trigger on StartSession and ResumeSession. SNS to an email is the part where we will receive an email. 

20. How can you ensure routine backups are being made of EC2 instances?

We can use utilise snapshot lifecycle policy as it enforces a regular backup schedule.

AWS Databases interview questions

Almost the majority of applications interact with some form of database. A great advantage of operating in the cloud is the high availability of the database offerings. RDS is not a complicated service, so questions on this topic are very few.

21.  What are the backup options available for databases on RDS?

There are two backup options:

  1. Automated backups: Every 5 minutes and has a retention period from a day to 35 days.
  2. Manual DB snapshot: Last indefinitely.

Monitoring the status of a backup is important. This helps in auditing that a backup is completed, and if it fails, we can investigate. EventBridge can be used for monitoring.

22.  Can we create multiple databases on a single RDS instance?

Yes, this is possible. However, usually, a single RDS instance hosts a single database. When creating an RDS instance, we mention the database name.

23. We have multiple Lambda that interact with RDS, however we are noticing “too many connection” error message. As a DevOps engineer, how can you resolve this? Note: Usage of RDS is a must.

RDS Proxy is the solution in this case. Connection sessions can be cached and re-used. Lambda due to their concurrent behaviour cause too many connection to the RDS instance directly, however with a proxy cache this is resolved. There is a small fee according to the RDS proxy pricing.

24. There is an application hosted on AWS and it now needs a connection back to a database on-prem. What’s the most secure way to establish a connection from the cloud to on-prem?

The quickest way is to establish a VPN connection that uses IPsec. VPN connection compared to Direct Gateway can be configured much faster and they are encrypted.

25. Can we connect to the RDS instances without a username and passsword?

We can use IAM Authentication, which generates a new password every 15 minutes upon a new verification. This needs we need to implement a few code changes as we are making API calls to AWS for a new password. One great advantage of leveraging IAM authentication is we don’t need to manage passwords. 

However, if the application code cannot be updated, it is recommended to store these credentials in the Secrets Manager of the Parameter Store.

26. What do we need to take into consideration when using DynamoDB?

Since it doesn’t offer a flexible query system like a relational database, planning on how to retrieve data is extremely important. DynamoDB, despite being very easy to insert data into, retrieving data can sometimes be complex and challenging.

27. What makes AWS RedShift different to other database types? If I spin a high spec PostgreSQL what makes it different to a RedShift cluster?

This is a question where it will test your knowledge on the database core architecture. Red Shift stores data in a column. By storing data in a column we get to query data faster.

This is great when your data is huge and you have lots of query to do! Let’s say you have PowerBI for visualisation and several other tools that rely on query with TB of data then RedShift is a good candidate.

A great article with an image can be found on Techtarget

Keep in mind the key is to know what is Column column-oriented database and how it differs from Row row-oriented database. There is also RedShift Spectrum, which lets you fetch data from S3 using raw SQL commands!

AWS Organization – Landing Zone questions

If you have been working on AWS for a while, you must have come across the concept of a landing zone. This is a key term for an experienced DevOps engineer.

28. Can you please explain what is a Landing Zone?

Landing Zone is a concept where we have different accounts, with each dedicated to a purpose. A LZ offers central logging and networking, with the ability to vend new accounts that fall under a single organization.

AWS Control Tower and Organization are the core services of a LZ. At a base level a LZ has the following accounts:

  1. Network
  2. Logging
  3. Security
  4. Management
  5. Workload

Each of the above has its own function and are essential in operating a LZ. This question should come very often in an AWS DevOps interview as it helps in understanding whether you have worked in a multi-account environment or not.

29. How can developers benefit from a Landing Zone?

Developers in a company can request to have their dedicated account, although this depends on the organization’s sandbox policy. Due to the nature of the AWS organization, we can enforce policies using SCP, so we can, let’s say, deny the creation of expensive EC2 instances. Having their account gives engineers an isolated environment.

30. Does operating a Landing Zone cost the business?

Yes, such as centralised logging, networking they are part of a landing zone and their operation comes with a cost.


In conclusion, be prepared for your AWS DevOps interview  as the topic covers various AWS services and best practices. These questions span across different AWS domains such as IAM, EC2, S3, and RDS, and considerations for multi-account environments. The questions are designed to test not just theoretical knowledge but also practical experience and problem-solving skills in AWS environments.