AWS Basics
EC2, S3, RDS, Lambda, IAM — core AWS building blocks.
Theory
Amazon Web Services spans 30+ regions; each region has multiple Availability Zones (isolated data centers). Place workloads across AZs for HA; use regions for latency and compliance.
EC2 provides virtual machines (instance types: compute, memory, GPU optimized). Auto Scaling Groups + ALB replace failed instances. Use launch templates, not one-off AMIs.
S3 is object storage (11 nines durability). Buckets are global names; enable versioning, encryption (SSE-S3/KMS), and block public access by default.
RDS manages relational databases (Postgres, MySQL). Multi-AZ sync replica for failover; read replicas for scale. Backups and maintenance windows are automated.
Lambda runs event-driven functions — pay per invocation and GB-second. Cold starts matter for latency; use provisioned concurrency for steady traffic.
IAM is the permission system: users, roles, policies (JSON). Prefer roles for EC2/Lambda over long-lived access keys. Least privilege with policy boundaries.
VPC isolates networks: subnets (public/private), route tables, NAT gateway for outbound private traffic, security groups (stateful) vs NACLs (stateless).
CloudWatch collects metrics, logs, and alarms. Wire alarms to SNS/PagerDuty. Cost Explorer and budgets prevent surprise bills.
Architecture Diagram
Users --> Route53 / CloudFront
|
v
ALB (public subnet)
|
EC2 ASG (private)
/ \
v v
RDS Multi-AZ ElastiCache
|
S3 (assets, backups)
|
CloudWatch / IAM rolesExamples
aws s3 mb s3://my-app-assets-prod
aws s3 cp ./dist s3://my-app-assets-prod/ --recursive
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=prod" \
--query "Reservations[].Instances[].InstanceId"
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::my-bucket/public/*"
}
Interview Questions
Region vs Availability Zone?
Region is geographic; AZ is isolated DC within region. Spread ASG across 2+ AZs for HA.
Security Group vs NACL?
SG is stateful, instance-level, allow rules. NACL is stateless, subnet-level, allow+deny.
When Lambda vs EC2?
Lambda for spiky/short tasks and ops glue; EC2 for long-running, custom kernel, or steady high CPU.
S3 consistency model?
Read-after-write for new objects; strong read consistency for overwrites/deletes (since 2020).
IAM role vs access key?
Roles rotate automatically via STS — preferred for apps on AWS; keys are static secrets.
RDS failover?
Multi-AZ: automatic DNS failover to standby; brief disconnect — apps must retry.
How to reduce AWS bill?
Right-size instances, Savings Plans/RI, S3 lifecycle to Glacier, delete idle EIPs/NAT, tagging for chargeback.
What is VPC peering?
Private routing between two VPCs — non-transitive; often use Transit Gateway at scale.
FAANG: design multi-region active-active?
Route53 latency routing, DynamoDB global tables or conflict-aware DB, S3 CRR, careful session stickiness.
Shared responsibility model?
AWS secures cloud; you secure data, IAM, OS patches on EC2, app code, security group rules.
Best Practices
- Enable MFA on root; use IAM Identity Center
- Tag every resource (env, team, cost-center)
- Private subnets for app/DB tiers
- Encrypt data at rest and in transit
- Use Infrastructure as Code (Terraform/CDK)
- Set billing alarms
Common Mistakes
- Public S3 buckets
- Root access keys in CI
- Single-AZ RDS for production
- Oversized instances without metrics review
- NAT Gateway in every dev VPC 24/7
Cheat Sheet
Practical Exercises
Draw public/private subnets, ALB, EC2, RDS with security groups.
Deploy HTTP API hitting Lambda; add CloudWatch alarm on 5xx.
Use Cost Explorer to find top 5 spend services; propose savings.