AWS Interview Questions (2026): By Level, With Model Answers

How to use this

AWS knowledge is a mile wide, so depth matters more than service trivia. These questions check whether a candidate reasons about tradeoffs, security and cost.

Hiring a AWS developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.

Junior AWS interview questions

0–2 years

Core services.

What is the difference between EC2, Lambda and containers?

What a strong answer covers

EC2 is virtual machines you manage; Lambda is serverless functions with no server management; ECS/EKS run containers. Choose by control vs operational burden.

Red flag

Thinks one option fits every workload.

What is S3 and what is it good for?

What a strong answer covers

Durable, scalable object storage for files, backups, static assets and data lakes — not a filesystem.

Red flag

Treats S3 like a mountable disk for random writes.

What is the difference between a region and an availability zone?

What a strong answer covers

A region is a geographic area; AZs are isolated data centres within it, used together for high availability.

Red flag

Runs everything in one AZ and calls it highly available.

What is IAM?

What a strong answer covers

Identity and Access Management controlling who can do what via users, roles and policies, ideally least-privilege.

Red flag

Uses root or admin access for everything.

What is the difference between security groups and NACLs?

What a strong answer covers

Security groups are stateful instance-level firewalls; NACLs are stateless subnet-level rules.

Red flag

Confuses stateful and stateless behaviour.

What is an RDS database?

What a strong answer covers

Managed relational databases (Postgres, MySQL, etc.) with backups, patching and failover handled by AWS.

Red flag

Runs a database on a bare EC2 instance without reason.

What is a VPC?

What a strong answer covers

A logically isolated virtual network where you place resources across subnets, with routing and gateways you control.

Red flag

No mental model of network isolation.

How does S3 storage pricing broadly work?

What a strong answer covers

You pay for storage, requests and data transfer out; storage classes trade access speed for lower cost.

Red flag

Assumes storage is the only cost.

Mid-level AWS interview questions

2–5 years

Architecture and scaling.

How do you make a web app highly available on AWS?

What a strong answer covers

Multiple AZs, a load balancer, auto scaling, and a multi-AZ database, with no single point of failure.

Red flag

Single instance in one AZ.

What is the difference between horizontal scaling with an ALB and vertical scaling?

What a strong answer covers

An Application Load Balancer plus Auto Scaling adds instances horizontally; vertical scaling resizes one instance and has limits.

Red flag

Only scales by resizing instances.

When do you choose Lambda vs a long-running service?

What a strong answer covers

Lambda for event-driven, spiky or short tasks; a container/EC2 service for steady, long-running or latency-sensitive workloads (cold starts, limits).

Red flag

Forces a long-running workload into Lambda.

How do IAM roles differ from access keys?

What a strong answer covers

Roles grant temporary, rotated credentials to services/users without long-lived secrets; static access keys are riskier.

Red flag

Bakes long-lived access keys into code.

How do you decouple components?

What a strong answer covers

Queues (SQS) and pub/sub (SNS/EventBridge) to buffer and fan out work asynchronously and resiliently.

Red flag

Couples services with synchronous calls that cascade failures.

How does caching with CloudFront/ElastiCache help?

What a strong answer covers

CloudFront caches content at the edge; ElastiCache (Redis/Memcached) caches data, both cutting latency and origin load.

Red flag

Serves everything from origin with no CDN.

How do you store secrets and config?

What a strong answer covers

Secrets Manager or SSM Parameter Store with encryption and rotation, injected at runtime.

Red flag

Hardcodes secrets in environment files in the repo.

What is infrastructure as code on AWS?

What a strong answer covers

Defining resources declaratively (CloudFormation/CDK/Terraform) for reproducible, reviewable infrastructure.

Red flag

Clicks resources together in the console with no record.

Senior AWS interview questions

5+ years

Reliability, security and cost.

How do you design for fault tolerance and disaster recovery?

What a strong answer covers

Multi-AZ (and possibly multi-region), backups and tested restores, health checks and failover, with a defined RTO/RPO.

Red flag

No backup/restore testing or DR plan.

How do you control and optimise AWS cost?

What a strong answer covers

Right-sizing, autoscaling, storage classes and lifecycle policies, savings plans/reserved capacity, and cost monitoring/alerts.

Red flag

No visibility into what’s driving the bill.

How do you secure an AWS environment?

What a strong answer covers

Least-privilege IAM, encryption in transit and at rest, private subnets, network controls, logging (CloudTrail) and guardrails.

Red flag

Public S3 buckets and over-permissive IAM.

How do you design a secure network topology?

What a strong answer covers

Public/private subnets, NAT for egress, security groups, and keeping data stores off the public internet.

Red flag

Puts databases in public subnets.

How do you approach observability and incident response?

What a strong answer covers

Centralised metrics, logs and traces (CloudWatch/X-Ray), alarms on SLOs, and runbooks for response.

Red flag

Relies on users to report outages.

What are the tradeoffs of serverless architectures?

What a strong answer covers

Low ops and pay-per-use versus cold starts, vendor lock-in, limits and harder local testing/observability.

Red flag

Presents serverless as free of downsides.

How do you manage multiple accounts and environments?

What a strong answer covers

AWS Organizations, separate accounts per environment, SCP guardrails, and centralised billing/logging.

Red flag

One account for everything with mingled prod and dev.

How do you handle data transfer and egress cost surprises?

What a strong answer covers

Understand that cross-AZ, cross-region and internet egress cost money, and architect to minimise unnecessary transfer.

Red flag

Ignores data-transfer costs entirely.

Skip the screening entirely.We vet AWS engineers so you don’t have to — embed one in your team, or have us build it.

Hire AWS developersCompare us

Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.

Share