1. Security Services
Q1. Explain how AWS WAF works and common use cases.
Definition: AWS WAF (Web Application Firewall) protects web applications from common exploits (SQL injection, XSS, etc.) by filtering HTTP(S) requests based on customizable rules.
Example: Block requests from specific IP ranges or allow only certain country-based traffic.
Use Cases:
1. Mitigate DDoS attacks.
2. Prevent OWASP Top 10 vulnerabilities.
3. Restrict access by geolocation.
Q2. What is Amazon GuardDuty, and how does it detect threats?
Definition: GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity.
How it works: Uses AWS logs (VPC Flow Logs, CloudTrail, DNS logs) + ML models to detect anomalies like suspicious API calls or port scanning.
Example: Alerts when a new API key is used from an unusual location.
Q3. Difference between AWS Inspector and AWS Config.
| AWS Inspector | AWS Config |
| ----------------------------------------------------------------------- | ------------------------------------------------------ |
| Automated security assessment of EC2 instances and container workloads. | Tracks AWS resource configurations over time. |
| Focused on vulnerabilities & compliance. | Focused on configuration compliance & drift detection. |
Q4. How does AWS Systems Manager help in managing EC2 instances?
Definition: AWS Systems Manager (SSM) lets you manage EC2 & on-prem servers at scale without direct SSH.
Features:
Run commands remotely (patching, software install).
Parameter Store for secure config storage.
Session Manager for secure shell-less access.
Q5. What are Network ACLs (NACL) and how are they different from Security Groups?
| NACL | Security Group |
| ------------------------------------------------------ | ------------------------------------------------ |
| Operates at subnet level. | Operates at instance level. |
| Stateless (return traffic must be explicitly allowed). | Stateful (return traffic automatically allowed). |
| Rules are evaluated in order. | Rules are evaluated as a whole (no priority). |
Q6. How would you design a bastion host for secure access to private instances?
Launch EC2 in a public subnet with restricted inbound SSH (only admin IP).
Access private instances via the bastion host using SSH agent forwarding.
Enable CloudTrail and SSM Session Manager for auditing.
Q7. Difference between IAM Roles, Policies, and Users.
User: Represents a person/service with credentials.
Role: Temporary identity for AWS resources or services.
Policy: JSON document defining permissions for a user/role/group.
Q8. Best practices for securing SSH/HTTPS connections in AWS.
Use key pairs instead of passwords.
Restrict inbound rules to known IPs.
Use ACM for HTTPS certificates.
Enable Perfect Forward Secrecy (PFS).
Q9. How do you implement least privilege access in AWS?
Create minimal permission policies per role.
Use IAM Access Analyzer to detect unused permissions.
Rotate keys regularly and remove unused accounts.
Q10. Steps to enable and monitor encryption in transit and at rest.
At rest: Enable SSE (Server-Side Encryption) in S3, KMS for RDS/EBS.
In transit: Use HTTPS, enable TLS ≥ 1.2, enforce via ALB/API Gateway.
Monitor via AWS Config rules and CloudTrail events.
2. Networking
Q1. What is a VPC, and what are its key components?
Definition: Amazon Virtual Private Cloud (VPC) is a logically isolated network in AWS where you launch resources.
Key Components: Subnets, Route Tables, Internet Gateway, NAT Gateway, Security Groups, NACLs, VPC Peering.
Q2. How does a VPC Peering connection work?
Private network connection between two VPCs using private IPs without VPN or internet.
Traffic routing done via route tables.
Q3. Difference between VPC Peering and Transit Gateway.
| VPC Peering | Transit Gateway |
| ------------------------------------------- | -------------------------------------------------------------- |
| Point-to-point connection between two VPCs. | Central hub for connecting multiple VPCs and on-prem networks. |
| No transitive routing. | Supports transitive routing. |
Q4. What is a NAT Gateway and when would you use it?
Provides outbound internet access for instances in private subnets without exposing them to inbound internet traffic.
Q5. Difference between Public and Private subnets.
| Public | Private |
| ------------------------------ | ------------------------------------ |
| Has route to Internet Gateway. | No direct route to Internet Gateway. |
| Instances can have public IPs. | Instances only have private IPs. |
Q6. How does a VPN connection work between on-premises and AWS?
Uses IPsec tunnels between AWS VPN Gateway and on-premises gateway to securely transmit data.
Q7. Explain Security Groups vs NACLs in detail.
SG: Instance-level, stateful.
NACL: Subnet-level, stateless.
Q8. How do you connect multiple VPCs securely?
Transit Gateway, VPC Peering, or PrivateLink depending on architecture.
Q9. Steps to configure VPC Flow Logs and analyze them.
1. Enable Flow Logs for VPC/Subnet/ENI.
2. Send logs to S3 or CloudWatch Logs.
3. Analyze with Athena, CloudWatch Insights, or SIEM.
Q10. What are Route Tables and how do they control network traffic?
Route tables map destination CIDR blocks to targets (IGW, NAT, VGW, TGW).
---
## 3. Compute Layer (Frontend/Backend)
Q1. Difference between EC2 instance types
General Purpose: Balanced CPU/memory.
Compute Optimized: High CPU.
Memory Optimized: High RAM.
Storage Optimized: High IOPS.
Q2. How to scale EC2 instances automatically.
Use Auto Scaling Groups with scaling policies (CPU utilization, request count).
Q3. Application Load Balancer vs Network Load Balancer.
| ALB | NLB |
| ---------------------- | ------------------------------ |
| Layer 7, HTTP/HTTPS. | Layer 4, TCP/UDP. |
| Content-based routing. | High performance, low latency. |
Q4. Configure high availability across multiple AZs.
Deploy instances in multiple AZs + load balancer + health checks.
Q5. Use an RDS Proxy and why?
Pools DB connections, improves scalability, reduces DB overload.
Q6. ELB vs API Gateway.
ELB: Distributes traffic to servers.
API Gateway: Manages APIs with rate limiting, caching, auth.
---
## 4. Database Layer
Q1. RDS vs DynamoDB
RDS: Relational, SQL-based.
DynamoDB: NoSQL, key-value.
Q2. How Redis (ElastiCache) improves performance
In-memory caching reduces DB queries latency.
Q3. RDS Proxy benefits
Connection pooling, failover handling.
Q4. Multi-AZ deployment in RDS
Synchronous standby in another AZ for HA.
Q5. Read Replica vs Multi-AZ
| Read Replica | Multi-AZ |
| ----------------------- | ------------ |
| Asynchronous. | Synchronous. |
| Used for scaling reads. | Used for HA. |
Q6. MemoryDB vs ElastiCache
MemoryDB: Durable, Redis-compatible, Multi-AZ.
ElastiCache: Cache only, less durable.
---
## 5. Automation
Q1. CloudFormation working
Infrastructure as Code (YAML/JSON) to create/manage AWS resources.
Q2. Terraform vs CloudFormation
| Terraform | CloudFormation |
| ------------ | ----------------- |
| Multi-cloud. | AWS only. |
| HCL syntax. | JSON/YAML syntax. |
Q3. AWS Lambda trigger examples
S3 events, DynamoDB streams, API Gateway calls.
Q4. Role of Boto3
Python SDK for AWS automation.
Q5. AWS CLI for automation
Scripting tasks like resource creation, backups.
Q6. Automate AMI creation
Lambda + CloudWatch + EC2 CreateImage API.
Q7. CI/CD in AWS
CodeCommit → CodeBuild → CodeDeploy → CodePipeline.
---
## 6. Serverless
Q1. Lambda vs EC2
Lambda: Event-driven, no server mgmt.
EC2: Full control, long-running apps.
Q2. API Gateway + Lambda
API Gateway routes HTTP requests to Lambda functions.
Q3. Secure serverless
IAM roles, parameter store, VPC access, WAF.
Q4. DynamoDB scaling best practices
On-demand mode, partition key design.
Q5. Cold starts in Lambda
Reduce by using Provisioned Concurrency.
Q6. Step Functions usage
Orchestrate multiple Lambdas in workflows.
Q7. Sync vs Async Lambda
Sync: Waits for result.
Async: Queues invocation.
---
## 7. Monitoring & Logging
Q1. CloudWatch vs CloudTrail
CloudWatch: Metrics, logs, alerts.
CloudTrail: API call history.
Q2. CloudWatch alarms setup
Choose metric → define threshold → set SNS notification.
Q3. Centralized logging with Splunk
Use Kinesis Firehose to stream logs to Splunk.
Q4. Monitor Lambda
CloudWatch metrics + X-Ray tracing.
Q5. Grafana/Prometheus for AWS
Pull metrics from CloudWatch via data sources.
Q6. VPC Flow Logs for troubleshooting
Identify blocked traffic, latency issues.
Q7. Centralized monitoring best practices
Unified dashboards, log retention policy.
---
## 8. Storage
Q1. S3 vs EFS vs EBS
S3: Object storage.
EFS: Shared file storage.
EBS: Block storage for EC2.
Q2. S3 versioning
Keeps old object versions for recovery.
Q3. Secure S3
Block public access, enable encryption, IAM policies.
Q4. S3 Standard vs IA vs Glacier
Standard: Frequent access.
IA: Infrequent access.
Glacier: Archival.
Q5. When to use EFS over S3
When file system semantics needed.
Q6. S3 cross-region replication
Replicates objects automatically to another region.
---
## 9. Packer & AMI Management
Q1. Packer with AWS
Automates AMI creation using templates.
Q2. Create custom AMI
Launch EC2 → install configs → Create Image.
Q3. Automate AMI creation with Packer
Define JSON template → run `packer build`.
Q4. Manual vs automated AMI creation
| Manual | Automated |
| ------------------------ | --------------------------- |
| Manual steps in console. | Fully scripted, repeatable. |
No comments:
Post a Comment