Cloud engineer domain knowledge interview questions

As asked

Explain what a Service Control Policy is, where it sits in the permission evaluation chain, and give me an example of what it can do that an IAM policy cannot.

Sample answer outline

SCPs are AWS Organizations policies applied to OUs or accounts that set the maximum permissions available in that account. They do not grant permissions themselves. Example: an SCP that denies all actions outside us-east-1 and eu-west-1 prevents any IAM user or role, even the account root (with exceptions), from deploying in other regions. IAM policies cannot restrict the root user or control what services are available account-wide.

Expect these follow-ups

• Can an SCP deny the root account user?
• If an SCP denies an action and an IAM policy allows it, what is the outcome?

As asked

What are the five pillars of the AWS Well-Architected Framework? For each, give me one principle that most teams get wrong.

Sample answer outline

Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimisation (and Sustainability added in 2021). Common mistakes: OpEx - not automating runbooks; Security - overly broad IAM; Reliability - no DR testing; Performance - picking instance size by gut feel instead of load testing; Cost - buying Reserved Instances without utilisation data.

Expect these follow-ups

• What is the sixth pillar added in 2021?
• How does the Well-Architected Tool help you apply these pillars?

As asked

Walk me through the key decision criteria for choosing Amazon Kinesis Data Streams over SQS for an event-streaming use case.

Sample answer outline

Kinesis wins when you need multiple independent consumers reading the same stream (fan-out without duplicating messages), ordering within a shard, data replay, or a sustained high-throughput stream at low per-message cost. SQS wins for decoupled work queues where each message should be processed exactly once by one consumer, where message size up to 256 KB matters, and where you need FIFO ordering. SQS scales automatically; Kinesis needs manual shard management.

Expect these follow-ups

• What is Kinesis Enhanced Fan-Out and when does it matter?
• How does SQS FIFO queue ordering differ from Kinesis shard ordering?

As asked

Explain what .terraform.lock.hcl does, when it is created, and why you should commit it to source control.

Sample answer outline

The lock file records the exact provider version and checksums for each platform that terraform init downloaded. Committing it means every engineer and CI runner uses the same provider version without needing to specify version constraints everywhere. Without it, a new team member running terraform init could pull a newer provider that has breaking behaviour. Running terraform init -upgrade updates the lock file intentionally.

Expect these follow-ups

• What does terraform providers lock do and when would you use it?
• If a colleague is on a Mac and you are on Linux, does the lock file cause issues?

As asked

Explain what AWS GuardDuty is, what data sources it analyses, and give three examples of threat types it detects that you would consider high severity.

Sample answer outline

GuardDuty is a managed threat detection service that analyses CloudTrail management events, VPC Flow Logs, DNS logs, EKS audit logs, S3 data events, and RDS login activity without requiring agents. High-severity examples: EC2 instance communicating with a known cryptomining IP (CryptoCurrency finding), IAM credentials used from a Tor exit node (Tor:IAMUser/MaliciousIPCaller), or recon activity like port scanning from an EC2 instance (Recon:EC2/PortProbeUnprotectedPort).

Expect these follow-ups

• How do you suppress a GuardDuty finding that is a known false positive?
• How does GuardDuty integrate with Security Hub?

As asked

Explain the difference between an ECS task definition and an ECS service. What does the service scheduler do that simply running a task does not?

Sample answer outline

A task definition is a versioned blueprint specifying the container image, CPU/memory, networking mode, volumes, and IAM role. A task is a running instance of a task definition. An ECS service maintains a desired number of running tasks, replaces failed tasks, integrates with load balancers and service discovery, and supports rolling deployments. Running a standalone task is appropriate for batch jobs; a service is for long-running APIs.

Expect these follow-ups

• What is the deployment circuit breaker in an ECS service?
• What happens to running tasks during an ECS service deployment with rolling updates?

As asked

A junior engineer keeps confusing CloudTrail and CloudWatch. How would you explain the difference to them, and give an example of a question only CloudTrail can answer and one only CloudWatch can answer?

Sample answer outline

CloudTrail records API calls (who did what, when, from where) for auditing and investigation. CloudWatch collects metrics, logs, and alarms for monitoring operational health. Only CloudTrail can answer: who deleted the S3 bucket at 3 AM? Only CloudWatch can answer: what was the Lambda error rate last Tuesday at 2 PM? Both matter: CloudTrail for security forensics, CloudWatch for operational monitoring.

Expect these follow-ups

• How do you search CloudTrail logs efficiently for a specific IAM user's actions?
• What is CloudTrail Lake and how does it differ from the standard S3 delivery?

As asked

Compare AWS PrivateLink and VPC Peering. In what scenario would you choose PrivateLink over peering even if both technically work?

Sample answer outline

VPC peering provides bidirectional connectivity between two VPCs (all ports, bidirectional routing). PrivateLink exposes a specific service endpoint (NLB-backed) from one VPC into another, unidirectionally, with no need to expose the full VPC. Choose PrivateLink when selling a service to another AWS customer or organisation where you want to expose only one endpoint without giving access to your whole VPC, or when the consumer and provider have overlapping CIDRs.

Expect these follow-ups

• Can VPC peering work between accounts in different AWS organisations?
• What is the difference between a VPC endpoint for S3 (gateway type) and one for DynamoDB?

As asked

Explain what a Service Control Policy is, where it sits in the permission evaluation chain, and give me an example of what it can do that an IAM policy cannot.

Sample answer outline

SCPs are AWS Organizations policies applied to OUs or accounts that set the maximum permissions available in that account. They do not grant permissions themselves. Example: an SCP that denies all actions outside us-east-1 and eu-west-1 prevents any IAM user or role, even the account root (with exceptions), from deploying in other regions. IAM policies cannot restrict the root user or control what services are available account-wide.

Expect these follow-ups

• Can an SCP deny the root account user?
• If an SCP denies an action and an IAM policy allows it, what is the outcome?

As asked

What are the five pillars of the AWS Well-Architected Framework? For each, give me one principle that most teams get wrong.

Sample answer outline

Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimisation (and Sustainability added in 2021). Common mistakes: OpEx - not automating runbooks; Security - overly broad IAM; Reliability - no DR testing; Performance - picking instance size by gut feel instead of load testing; Cost - buying Reserved Instances without utilisation data.

Expect these follow-ups

• What is the sixth pillar added in 2021?
• How does the Well-Architected Tool help you apply these pillars?

As asked

Walk me through the key decision criteria for choosing Amazon Kinesis Data Streams over SQS for an event-streaming use case.

Sample answer outline

Kinesis wins when you need multiple independent consumers reading the same stream (fan-out without duplicating messages), ordering within a shard, data replay, or a sustained high-throughput stream at low per-message cost. SQS wins for decoupled work queues where each message should be processed exactly once by one consumer, where message size up to 256 KB matters, and where you need FIFO ordering. SQS scales automatically; Kinesis needs manual shard management.

Expect these follow-ups

• What is Kinesis Enhanced Fan-Out and when does it matter?
• How does SQS FIFO queue ordering differ from Kinesis shard ordering?

As asked

Explain what .terraform.lock.hcl does, when it is created, and why you should commit it to source control.

Sample answer outline

The lock file records the exact provider version and checksums for each platform that terraform init downloaded. Committing it means every engineer and CI runner uses the same provider version without needing to specify version constraints everywhere. Without it, a new team member running terraform init could pull a newer provider that has breaking behaviour. Running terraform init -upgrade updates the lock file intentionally.

Expect these follow-ups

• What does terraform providers lock do and when would you use it?
• If a colleague is on a Mac and you are on Linux, does the lock file cause issues?

As asked

Explain what AWS GuardDuty is, what data sources it analyses, and give three examples of threat types it detects that you would consider high severity.

Sample answer outline

GuardDuty is a managed threat detection service that analyses CloudTrail management events, VPC Flow Logs, DNS logs, EKS audit logs, S3 data events, and RDS login activity without requiring agents. High-severity examples: EC2 instance communicating with a known cryptomining IP (CryptoCurrency finding), IAM credentials used from a Tor exit node (Tor:IAMUser/MaliciousIPCaller), or recon activity like port scanning from an EC2 instance (Recon:EC2/PortProbeUnprotectedPort).

Expect these follow-ups

• How do you suppress a GuardDuty finding that is a known false positive?
• How does GuardDuty integrate with Security Hub?

As asked

Explain the difference between an ECS task definition and an ECS service. What does the service scheduler do that simply running a task does not?

Sample answer outline

A task definition is a versioned blueprint specifying the container image, CPU/memory, networking mode, volumes, and IAM role. A task is a running instance of a task definition. An ECS service maintains a desired number of running tasks, replaces failed tasks, integrates with load balancers and service discovery, and supports rolling deployments. Running a standalone task is appropriate for batch jobs; a service is for long-running APIs.

Expect these follow-ups

• What is the deployment circuit breaker in an ECS service?
• What happens to running tasks during an ECS service deployment with rolling updates?

As asked

A junior engineer keeps confusing CloudTrail and CloudWatch. How would you explain the difference to them, and give an example of a question only CloudTrail can answer and one only CloudWatch can answer?

Sample answer outline

CloudTrail records API calls (who did what, when, from where) for auditing and investigation. CloudWatch collects metrics, logs, and alarms for monitoring operational health. Only CloudTrail can answer: who deleted the S3 bucket at 3 AM? Only CloudWatch can answer: what was the Lambda error rate last Tuesday at 2 PM? Both matter: CloudTrail for security forensics, CloudWatch for operational monitoring.

Expect these follow-ups

• How do you search CloudTrail logs efficiently for a specific IAM user's actions?
• What is CloudTrail Lake and how does it differ from the standard S3 delivery?

As asked

Compare AWS PrivateLink and VPC Peering. In what scenario would you choose PrivateLink over peering even if both technically work?

Sample answer outline

VPC peering provides bidirectional connectivity between two VPCs (all ports, bidirectional routing). PrivateLink exposes a specific service endpoint (NLB-backed) from one VPC into another, unidirectionally, with no need to expose the full VPC. Choose PrivateLink when selling a service to another AWS customer or organisation where you want to expose only one endpoint without giving access to your whole VPC, or when the consumer and provider have overlapping CIDRs.

Expect these follow-ups

• Can VPC peering work between accounts in different AWS organisations?
• What is the difference between a VPC endpoint for S3 (gateway type) and one for DynamoDB?