AWS DevOps Interview Questions and Answers

Beyond service definitions, an AWS DevOps interview probes four loops: how you provision (IaC and state management), how you ship (CI/CD, rollout strategy), how you secure (IAM, network boundaries, secrets), and how you operate (observability, scaling, incident response, cost). A strong candidate connects these — for example, explaining how a blue/green deploy interacts with target-group health checks, the IAM permissions the deploy role needs, and the CloudWatch alarm that triggers an automatic rollback.

Seniority changes the lens. Mid-level questions are mechanical ('how does an Auto Scaling group replace an unhealthy instance?'). Senior and staff questions are about judgment and blast radius ('we run 40 microservices on EKS, one team wants cluster-admin — what do you do, and how do you keep the cluster multi-tenant-safe?'). Answer with the decision and the reasoning, not just the feature that exists.

The fastest way to sound senior is to volunteer the failure mode. When you describe a design, name what breaks: the single-AZ NAT Gateway that becomes a SPOF, the IAM wildcard that quietly grants iam:PassRole, the missing Terraform state lock that lets two pipelines corrupt state. Interviewers hire people who think about the unhappy path before it happens.

EC2 is raw compute; the DevOps value is in what wraps it — Auto Scaling groups, launch templates, mixed instances policies, and Spot for cost. Know that launch configurations are legacy (new accounts can no longer create them — use launch templates), how an ASG's health-check type (EC2 vs ELB) decides whether it replaces an instance, and how Spot interruptions are handled with capacity rebalancing plus the two-minute interruption notice (and the earlier rebalance recommendation). For stateful nodes, understand the EBS volume lifecycle and why instance-store data is lost on stop or terminate.

ECS vs EKS is the single most common container question. ECS is AWS-native, lower operational overhead, with deep IAM integration via task roles, and two launch types: EC2 (you manage the instances) and Fargate (serverless, you manage nothing below the task). EKS is managed Kubernetes — you get the full CNCF ecosystem (Helm, operators, CRDs, GitOps with Argo CD/Flux), portability across clouds, and a larger talent pool, at the cost of an API server you pay for hourly plus the operational weight of upgrades, add-ons, and the VPC CNI. Pick ECS/Fargate when the team is small and the workload is straightforward; pick EKS when you need Kubernetes primitives, portability, or already have Kubernetes expertise.

On EKS specifically, interviewers go deep. Be ready on: the VPC CNI assigning real VPC IPs to pods (and the IP-exhaustion gotcha on small subnets, mitigated with prefix delegation or a secondary CIDR), IRSA (IAM Roles for Service Accounts) — and its successor EKS Pod Identity — so pods get scoped AWS credentials instead of node-wide instance-profile creds, managed node groups vs self-managed vs Fargate profiles, and Karpenter vs the Cluster Autoscaler for node provisioning. Know that kubectl talks to the Kubernetes API server, but AWS-to-Kubernetes authorization is mapped through EKS access entries (the recommended approach; the older aws-auth ConfigMap is deprecated).

A VPC question usually unfolds into a whiteboard: public and private subnets across multiple AZs, an internet gateway for public ingress, a NAT gateway (one per AZ for HA) for private-subnet egress, and route tables wiring it together. Know that security groups are stateful (return traffic is allowed automatically) and operate at the ENI level, while network ACLs are stateless (you must allow both directions) and operate at the subnet level — and that you almost always prefer security groups, reserving NACLs for coarse subnet-wide deny rules. A frequent gotcha: a single NAT gateway saves money but is an AZ-level SPOF and a real cost line item; VPC endpoints (gateway endpoints for S3/DynamoDB, interface endpoints for most other services) cut NAT data-processing charges and keep traffic off the public internet.

IAM least-privilege is where senior candidates separate themselves. The story you want to tell: start from deny-by-default, grant the narrowest action/resource/condition, prefer roles over long-lived access keys, and use IAM roles for EC2 (instance profiles) and IRSA/Pod Identity for pods so nothing carries static credentials. Know the difference between identity-based and resource-based policies, why iam:PassRole is dangerous (it lets a principal hand a more-privileged role to a service), and how permission boundaries and SCPs (in AWS Organizations) cap what even an admin can do. Mention IAM Access Analyzer to surface unintended external access and CloudTrail to audit who did what.

Secrets and encryption round it out. Secrets Manager (built-in rotation, cross-service integration) vs SSM Parameter Store (cheaper, SecureString backed by KMS) is a common compare. Be fluent on KMS: customer-managed keys vs AWS-managed keys, key policies vs IAM, envelope encryption, and encryption in transit (TLS, ACM-managed certs on an ALB) vs at rest (EBS, S3 SSE-KMS, RDS). The recurring theme: credentials should be short-lived, scoped, and auditable.

Terraform vs CloudFormation is a guaranteed question. CloudFormation is AWS-native, deeply integrated (drift detection, StackSets across accounts/regions, automatic rollback on a failed update), and has no separate state to manage because AWS holds it. Terraform is multi-cloud, has a richer module ecosystem and HCL ergonomics, and — critically — manages its own state file, which you must put in a remote backend (S3) with locking so concurrent applies can't corrupt it. With Terraform 1.10+ you can use S3-native locking (use_lockfile); the older pattern used a DynamoDB table, now deprecated in favor of the lock file. Mention plan/apply discipline, terraform import for existing resources, and why you never change infrastructure by hand once it is under IaC (drift). CDK and Pulumi come up as 'IaC in a real language' alternatives.

For CI/CD, you should be able to design a pipeline end to end. A typical AWS-native flow: source (CodeConnections/GitHub) to build and test (CodeBuild) to artifact (ECR for images, S3 for bundles) to deploy (CodeDeploy/ECS/EKS) orchestrated by CodePipeline; many teams instead use GitHub Actions or GitLab CI as the orchestrator and call AWS via OIDC federation, so no long-lived AWS keys live in the runner. Know rollout strategies — rolling, blue/green (two target groups behind an ALB; shift traffic, keep the old fleet for instant rollback), and canary (shift a small percentage, watch alarms, then proceed) — and how CodeDeploy implements blue/green and canary for ECS, Lambda, and EC2.

The senior signal in CI/CD is safety and reproducibility: build an immutable artifact once and promote that same artifact across environments (build once, deploy many), scope pipeline permissions per stage, wire automatic rollback to CloudWatch alarms, and put infrastructure changes through the same plan-review-apply gate as code. For Kubernetes specifically, GitOps (Argo CD/Flux) makes cluster state a reconciled function of Git, so a rollback is a git revert and drift is auto-corrected.

Observability is the three pillars plus AWS plumbing: metrics (CloudWatch, custom metrics, EMF), logs (CloudWatch Logs, log groups, retention, subscription filters to OpenSearch/Kinesis), and traces (X-Ray, or OpenTelemetry via ADOT exporting to CloudWatch/managed Grafana). Know the difference between alerting on symptoms (latency, error rate — the SLO breach the user feels) versus causes, and be able to define an SLI, SLO, and error budget out loud. For EKS, mention Container Insights and the ADOT stack, and that you scrape Prometheus metrics and ship them to Amazon Managed Prometheus + Managed Grafana.

Cost questions are increasingly common because cloud bills hurt. Have a concrete toolkit: right-size with Compute Optimizer, cover the steady baseline with Savings Plans or Reserved Instances and run fault-tolerant or batch workloads on Spot, set S3 lifecycle policies and storage classes (Intelligent-Tiering, Glacier), kill idle NAT gateways and unattached EBS volumes and Elastic IPs, use VPC endpoints to dodge NAT data charges, and tag everything so Cost Explorer can attribute spend per team. The mature answer ties cost to architecture: the cheapest request is the one you never make, so caching and cutting cross-AZ chatter often beat raw right-sizing.

Scenario questions are the real differentiator: 'p99 latency just doubled, walk me through it' or 'a deploy went out and error rate spiked — what now?' Answer with a method, not a guess: stop the bleed first (roll back or scale out), establish a timeline from the deploy/change log, narrow from metrics to logs to traces, form a hypothesis, test it, and only then fix forward. Name the AWS levers — ASG/HPA to add capacity, target-group deregistration draining, CloudWatch alarms, the CodeDeploy rollback. Close with the follow-up: a blameless postmortem, an alert that would have caught it sooner, and an action item to prevent recurrence.