Cloud DevOps Interview Questions

1. What is AWS Landing Zone?

AWS Landing Zone is a solution for setting up a secure, multi-account AWS environment based on
AWS best practices. It automates account creation, IAM configurations, logging, and security
baselines. It helps organizations scale while ensuring governance and compliance.

2. What is AWS Organizations?

AWS Organizations is a service that allows managing multiple AWS accounts under a single
umbrella. It supports centralized governance using features like Service Control Policies (SCPs)
for policy enforcement, consolidated billing, and account management.

3. Explain about S3 secured way of giving access to users.

S3 access can be secured in the following ways:

• IAM Policies: Grant permissions to specific users, roles, or groups.

• Bucket Policies: Define permissions for the entire bucket.

• Access Control Lists (ACLs): Set permissions at object level.

• Pre-signed URLs: Provide temporary access to objects.

• VPC Endpoints: Restrict access to S3 via private network.

4. IAM User vs Role?

• IAM User: Represents an individual user with long-term credentials like access keys and
passwords.

• IAM Role: Grants temporary permissions to entities (users, services, or external accounts).
It doesn’t require long-term credentials.

5. IAM Assume Role?

IAM Assume Role allows an entity (user or service) to temporarily assume a role and gain its
permissions. This is achieved using the STS (Security Token Service) API AssumeRole.
Example: Cross-account access where a role is assumed for specific tasks.

6. What is the condition in IAM Policy?

Conditions allow you to specify additional constraints in IAM Policies.

Example: Restrict access based on IP addresses, MFA authentication, or time.

7. What is the difference between a public subnet and a private subnet?

Public Subnet: Associated with a route table that routes traffic to the Internet Gateway (IGW),
enabling public access.

Private Subnet: No route to the IGW; traffic stays within the VPC.

8. How to connect a private subnet or server from public?

You can connect to resources in a private subnet using:

NAT Gateway: Enables outbound internet access for private subnets.

Bastion Host (Jump Box): A public EC2 instance to SSH into private resources.

VPN or Direct Connect: Securely connect on-premises networks to AWS private subnets.

9. What is Private Link in S3?

AWS PrivateLink enables secure access to S3 from a VPC without traversing the public internet. It
uses VPC Endpoint Interface to ensure private connectivity.

10. VPC Endpoint Types?

Gateway Endpoint: For services like S3 and DynamoDB.

Interface Endpoint: For most other AWS services (uses PrivateLink).

11. Have you ever configured a Transit Gateway?

Yes. A Transit Gateway is a central hub that connects multiple VPCs, on-premises networks, and
even other AWS Regions. It simplifies complex network topologies.

12. What is the difference between a Security Group and NACL?

Security Group NACL

Stateful Stateless

Operates at instance level Operates at subnet level

Allows inbound rules only Allows both rules

13. What is VPC Peering and its steps?

VPC Peering connects two VPCs, enabling traffic to flow between them privately. Steps:

Create a Peering Connection in one VPC.

Accept the request in the other VPC.

Update route tables in both VPCs.

14. VPC Transit Gateway Steps?

Create a Transit Gateway.

Attach VPCs and on-premises networks.

Update route tables for communication.

15. On-premises to S3 connection?

Use AWS Direct Connect or VPN for secure on-premises connectivity to S3.

16. Explain IAM Policy and all steps in that?

IAM Policies define permissions in JSON format. Steps:

1. Define actions (s3:ListBucket).

2. Define resources (arn:aws:s3:::example-bucket).
 3. Add conditions if required.
4. Attach the policy to users, roles, or groups.

17. Terraform import - Explain with example?

terraform import brings existing infrastructure into Terraform state.

Example:

18. Terraform Module?

Modules are reusable Terraform configurations. They help structure large projects.

19. git-ci.yaml file for Terraform steps?

Sample GitLab CI/CD YAML:

20. What is a Statefile and where do you keep the Statefile?

Terraform statefile tracks resources managed by Terraform.

• Location: Locally (terraform.tfstate) or in remote backends (S3, Azure Blob Storage).

21. How do you patch servers and monitor patching?

• Use tools like AWS Systems Manager Patch Manager or Ansible.

• Monitor via AWS CloudWatch or SSM Logs.

22. How to secure the resources in AWS?

1. IAM: Least privilege access.

2. Encryption: Data at rest and in transit.

3. Security Groups/NACLs: Limit network access.

4. Monitoring: CloudWatch, GuardDuty.

23. Encryption Types?

• Symmetric Encryption (e.g., AES-256).

• Asymmetric Encryption (Public-Private key).

24. Encryption in REST vs Transit?

• REST: Data stored (e.g., S3 encryption).

• Transit: Data moving (e.g., TLS/SSL).

25. How do you monitor VPC logs?

Using VPC Flow Logs, integrated with CloudWatch or S3.

26. What are GitLab Actions?

GitLab Actions (CI/CD Pipelines) automate deployments, testing, and infrastructure provisioning.

27. Terraform Drift?

Terraform Drift occurs when the actual infrastructure changes outside Terraform management.
 AWS Lambda Interview Questions

1. How to optimize a Lambda function?

To optimize Lambda, I focus on:

• Reducing cold starts using provisioned concurrency.

• Keeping the function package size small by including only necessary libraries.

• Properly tuning memory allocation and timeout settings for performance.

2. How to increase Lambda function performance?

I improve performance by:

• Allocating more memory, which increases CPU power.

• Optimizing code execution with efficient logic and libraries.

• Enabling provisioned concurrency to minimize cold starts.

3. What are common issues you face in Lambda?

Some common issues include:

• Cold starts, especially for infrequently invoked functions.

• Timeouts due to unoptimized code or resource bottlenecks.

• IAM permission errors when Lambda interacts with other AWS services.

4. What resources do you use for event-driven Lambda?

For event-driven architectures, I often use:

• S3: Event notifications for file uploads.

• DynamoDB Streams: Triggers for table updates.

• SNS/SQS: Queues or topics for decoupled messaging.

• API Gateway: To trigger Lambda for HTTP events.

5. How do you handle errors in Lambda?

I handle errors using:

• Dead Letter Queues (DLQ) to capture failed events.

• Retry mechanisms for event sources like SQS or EventBridge.

• CloudWatch Logs for debugging errors and failures.

6. How do you monitor a Lambda function?

I monitor Lambda using:

• CloudWatch Metrics: Invocation count, duration, errors, and throttling.

• CloudWatch Logs: To analyze runtime errors.

• AWS X-Ray: For tracing and debugging function execution.

7. How do you handle synchronous invocation?

For synchronous invocations like API Gateway or SDK calls, I ensure proper error handling and
logging. I use retries and detailed responses to indicate success or failure.

8. How do you handle Lambda timeouts?

I:

1. Identify the bottleneck causing long execution times.

2. Optimize code or external API calls.

3. Adjust the timeout settings up to 15 minutes as needed.

9. How do you capture failed events?

Failed events are captured using:

• Dead Letter Queues (DLQ) for asynchronous invocations.

• CloudWatch Logs for detailed error traces.

• Event Source retries where applicable, like in SQS or EventBridge.

10. What are the limitations of Lambda?

Key limitations include:

 • Timeout limit of 15 minutes.

• Memory allocation capped at 10 GB.

• Package size limit: 50 MB (zipped).

• Execution environment constraints, like ephemeral storage.

11. How do you secure serverless architecture?

I secure serverless applications by:

• Using IAM roles with least-privilege permissions.

• Encrypting data at rest and in transit with KMS and TLS.

• Enabling VPC access to isolate Lambda execution.