AWS knowledge is a mile wide, so depth matters more than service trivia. These questions check whether a candidate reasons about tradeoffs, security and cost.
Hiring a AWS developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.
Junior AWS interview questions
0–2 years
Core services.
What is the difference between EC2, Lambda and containers?
EC2 is virtual machines you manage; Lambda is serverless functions with no server management; ECS/EKS run containers. Choose by control vs operational burden.
Thinks one option fits every workload.
What is S3 and what is it good for?
Durable, scalable object storage for files, backups, static assets and data lakes — not a filesystem.
Treats S3 like a mountable disk for random writes.
What is the difference between a region and an availability zone?
A region is a geographic area; AZs are isolated data centres within it, used together for high availability.
Runs everything in one AZ and calls it highly available.
What is IAM?
Identity and Access Management controlling who can do what via users, roles and policies, ideally least-privilege.
Uses root or admin access for everything.
What is the difference between security groups and NACLs?
Security groups are stateful instance-level firewalls; NACLs are stateless subnet-level rules.
Confuses stateful and stateless behaviour.
What is an RDS database?
Managed relational databases (Postgres, MySQL, etc.) with backups, patching and failover handled by AWS.
Runs a database on a bare EC2 instance without reason.
What is a VPC?
A logically isolated virtual network where you place resources across subnets, with routing and gateways you control.
No mental model of network isolation.
How does S3 storage pricing broadly work?
You pay for storage, requests and data transfer out; storage classes trade access speed for lower cost.
Assumes storage is the only cost.
Mid-level AWS interview questions
2–5 years
Architecture and scaling.
How do you make a web app highly available on AWS?
Multiple AZs, a load balancer, auto scaling, and a multi-AZ database, with no single point of failure.
Single instance in one AZ.
What is the difference between horizontal scaling with an ALB and vertical scaling?
An Application Load Balancer plus Auto Scaling adds instances horizontally; vertical scaling resizes one instance and has limits.
Only scales by resizing instances.
When do you choose Lambda vs a long-running service?
Lambda for event-driven, spiky or short tasks; a container/EC2 service for steady, long-running or latency-sensitive workloads (cold starts, limits).
Forces a long-running workload into Lambda.
How do IAM roles differ from access keys?
Roles grant temporary, rotated credentials to services/users without long-lived secrets; static access keys are riskier.
Bakes long-lived access keys into code.
How do you decouple components?
Queues (SQS) and pub/sub (SNS/EventBridge) to buffer and fan out work asynchronously and resiliently.
Couples services with synchronous calls that cascade failures.
How does caching with CloudFront/ElastiCache help?
CloudFront caches content at the edge; ElastiCache (Redis/Memcached) caches data, both cutting latency and origin load.
Serves everything from origin with no CDN.
How do you store secrets and config?
Secrets Manager or SSM Parameter Store with encryption and rotation, injected at runtime.
Hardcodes secrets in environment files in the repo.
What is infrastructure as code on AWS?
Defining resources declaratively (CloudFormation/CDK/Terraform) for reproducible, reviewable infrastructure.
Clicks resources together in the console with no record.
Senior AWS interview questions
5+ years
Reliability, security and cost.
How do you design for fault tolerance and disaster recovery?
Multi-AZ (and possibly multi-region), backups and tested restores, health checks and failover, with a defined RTO/RPO.
No backup/restore testing or DR plan.
How do you control and optimise AWS cost?
Right-sizing, autoscaling, storage classes and lifecycle policies, savings plans/reserved capacity, and cost monitoring/alerts.
No visibility into what’s driving the bill.
How do you secure an AWS environment?
Least-privilege IAM, encryption in transit and at rest, private subnets, network controls, logging (CloudTrail) and guardrails.
Public S3 buckets and over-permissive IAM.
How do you design a secure network topology?
Public/private subnets, NAT for egress, security groups, and keeping data stores off the public internet.
Puts databases in public subnets.
How do you approach observability and incident response?
Centralised metrics, logs and traces (CloudWatch/X-Ray), alarms on SLOs, and runbooks for response.
Relies on users to report outages.
What are the tradeoffs of serverless architectures?
Low ops and pay-per-use versus cold starts, vendor lock-in, limits and harder local testing/observability.
Presents serverless as free of downsides.
How do you manage multiple accounts and environments?
AWS Organizations, separate accounts per environment, SCP guardrails, and centralised billing/logging.
One account for everything with mingled prod and dev.
How do you handle data transfer and egress cost surprises?
Understand that cross-AZ, cross-region and internet egress cost money, and architect to minimise unnecessary transfer.
Ignores data-transfer costs entirely.
Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.