AWS Cloud Interview Questions for Freshers 2026: 50 Q&A with Core Concepts

Amazon Web Services (AWS) is the world's leading cloud platform, holding approximately 31% of the global cloud infrastructure market. In India, AWS cloud skills are among the most in-demand competencies across freshers entering IT services, product companies, and startups. Companies like TCS, Infosys, Wipro, HCL, and hundreds of mid-size firms are ramping up their AWS practices — and the demand for cloud-trained freshers is growing faster than campus supply.

Whether you are preparing for a cloud engineer role, a cloud associate position, or a generalist IT role where cloud knowledge is a differentiator, this guide provides 50 AWS interview questions for freshers along with complete answers and the conceptual framework you need. All official documentation referenced in this guide is available on AWS's documentation and learning portal. For certification preparation, the AWS Certification page and AWS Skill Builder are the primary official resources.

Cloud computing fundamentals — what every fresher must know

Before diving into AWS-specific questions, ensure you understand the underlying cloud computing concepts. These appear in almost every cloud interview.

What is cloud computing? Cloud computing is the on-demand delivery of IT resources (compute, storage, databases, networking, analytics, AI/ML) over the internet with pay-as-you-go pricing. Instead of buying and maintaining physical servers, organisations use cloud providers' infrastructure.

Three service models:

IaaS (Infrastructure as a Service): Provides virtualised hardware — servers, storage, networking. You manage the OS and everything above. Example: AWS EC2.
PaaS (Platform as a Service): Provides a managed platform for developing and deploying applications — you manage the code and data; the provider manages the OS, runtime, and infrastructure. Example: AWS Elastic Beanstalk.
SaaS (Software as a Service): Fully managed applications delivered over the internet. Example: Gmail, Salesforce, Zoho CRM.

Three deployment models:

Public cloud: Resources shared across multiple organisations; managed by a provider (AWS, Azure, GCP).
Private cloud: Dedicated infrastructure for a single organisation, on-premises or hosted.
Hybrid cloud: Combination of public and private cloud with orchestration between them.

Five characteristics of cloud computing (NIST definition):

On-demand self-service
Broad network access
Resource pooling (multi-tenancy)
Rapid elasticity
Measured service (pay-per-use)

AWS core services — conceptual overview

Compute

EC2 (Elastic Compute Cloud): Virtual servers in the AWS cloud. You choose the instance type (defining CPU, RAM, storage, and networking capacity), operating system, and configuration. EC2 instances are the building block of most AWS architectures. Visit AWS EC2 for instance type details.

Lambda: Serverless compute service. You upload code; AWS runs it in response to events without you provisioning or managing servers. You pay only for the milliseconds your code runs. Visit AWS Lambda.

Elastic Beanstalk: A managed PaaS service — upload your application code and Beanstalk handles deployment, load balancing, auto-scaling, and monitoring.

ECS and EKS: Container orchestration. ECS (Elastic Container Service) is AWS-native; EKS (Elastic Kubernetes Service) is managed Kubernetes.

Storage

S3 (Simple Storage Service): Object storage — store any file (images, videos, backups, logs, static website assets) as objects in buckets. S3 is infinitely scalable, highly durable (11 nines = 99.999999999% durability), and supports versioning, lifecycle policies, and cross-region replication. See AWS S3.

EBS (Elastic Block Store): Block storage — like a hard drive attached to an EC2 instance. Data persists even after the instance is stopped.

EFS (Elastic File System): Managed network file system that can be mounted by multiple EC2 instances simultaneously.

Glacier: Low-cost archival storage for data accessed infrequently. Retrieval times range from minutes to hours.

Database

RDS (Relational Database Service): Managed relational database. Supports MySQL, PostgreSQL, Oracle, SQL Server, and Aurora. Handles patching, backups, replication, and failover automatically.

DynamoDB: Fully managed NoSQL database with single-digit millisecond performance at any scale. Used for gaming leaderboards, session stores, e-commerce carts.

ElastiCache: In-memory caching (Redis or Memcached) for frequently accessed data.

Aurora: AWS-proprietary relational database compatible with MySQL and PostgreSQL, offering 5x the performance of standard MySQL on RDS.

Networking

VPC (Virtual Private Cloud): Your private network within AWS. You define the IP address range, create subnets (public and private), set up route tables, and configure network access control lists (NACLs) and security groups.

Subnets: A subnet is a segment of a VPC's IP address range. Public subnets have a route to an Internet Gateway; private subnets do not.

Security Groups: Stateful firewalls at the instance level — if you allow inbound traffic on port 80, return traffic is automatically allowed.

NACLs (Network Access Control Lists): Stateless firewalls at the subnet level — you must explicitly allow both inbound and outbound traffic.

Route 53: AWS's DNS service. Translates domain names to IP addresses. Supports health checks and routing policies (latency-based, geolocation, failover).

CloudFront: Content Delivery Network (CDN). Caches content at edge locations globally to reduce latency for end users.

IAM (Identity and Access Management): Manages who can access AWS resources and what they can do. Users, groups, roles, and policies. The principle of least privilege: grant only the permissions needed, nothing more.

50 AWS cloud interview questions for freshers

Cloud basics (Q1-Q10)

Q1. What is the difference between horizontal scaling and vertical scaling? Vertical scaling (scaling up) means increasing the capacity of a single server — more CPU, RAM, or storage. It has a physical limit and usually requires downtime. Horizontal scaling (scaling out) means adding more servers to distribute load. Cloud-native architectures prefer horizontal scaling because it has no theoretical limit and can be automated using auto-scaling.

Q2. What is an Availability Zone in AWS? An Availability Zone (AZ) is a discrete data centre (or cluster of data centres) within an AWS Region with independent power, cooling, and networking. Each AWS Region has 2-6 AZs. Deploying across multiple AZs protects against single-data-centre failures. For example, the Mumbai (ap-south-1) region has 3 AZs.

Q3. What is the difference between a Region and an Availability Zone? A Region is a geographic area (e.g., Mumbai, Virginia, Singapore). An Availability Zone is an isolated location within a Region. AWS has 33 Regions and 105 AZs globally (as of 2025).

Q4. What is the AWS shared responsibility model? AWS is responsible for security OF the cloud (physical infrastructure, hardware, hypervisor, global network). The customer is responsible for security IN the cloud (data, identity management, OS patching, network configuration, application security). For EC2: AWS manages the host; you manage the OS and application. For S3: AWS manages the hardware; you manage access policies and encryption settings.

Q5. What is an AMI (Amazon Machine Image)? An AMI is a template that contains the software configuration (OS, applications, data) needed to launch an EC2 instance. AWS provides public AMIs (Amazon Linux, Ubuntu, Windows Server); you can also create custom AMIs from configured instances for repeatable deployments.

Q6. What is auto-scaling in AWS? AWS Auto Scaling automatically adjusts the number of EC2 instances (or other resources) based on demand. You define a minimum, maximum, and desired capacity, along with scaling policies — for example, "add one instance when CPU exceeds 70% for 5 minutes; remove one when CPU drops below 30%." This ensures availability during traffic spikes and reduces cost during low traffic.

Q7. What is Elastic Load Balancing? ELB distributes incoming traffic across multiple EC2 instances, containers, or Lambda functions to ensure no single instance is overwhelmed. Types: Application Load Balancer (ALB) — for HTTP/HTTPS traffic with path-based routing; Network Load Balancer (NLB) — for TCP/UDP at extreme performance; Gateway Load Balancer — for third-party virtual appliances.

Q8. What is the AWS Free Tier? AWS Free Tier allows new accounts to use a limited set of AWS services at no charge for 12 months (e.g., 750 hours/month of EC2 t2.micro, 5 GB of S3 storage, 25 GB of DynamoDB storage). Some services have "always free" tiers regardless of account age.

Q9. What is CloudWatch? Amazon CloudWatch is AWS's monitoring service. It collects metrics (CPU utilisation, network I/O, disk reads), logs (from EC2, Lambda, ECS), and events. You set alarms to trigger actions (like auto-scaling or SNS notifications) when metrics cross thresholds.

Q10. What is the difference between spot instances, on-demand instances, and reserved instances? On-demand: Pay for compute capacity by the second with no long-term commitment. Highest per-hour cost, highest flexibility. Reserved instances: Commit to a 1 or 3-year term for a 30-75% discount. Best for predictable workloads. Spot instances: Purchase unused EC2 capacity at up to 90% off on-demand prices. Can be interrupted with 2-minute notice when AWS needs the capacity back. Best for fault-tolerant and flexible workloads.

EC2 questions (Q11-Q15)

Q11. What is an EC2 instance type and how do you choose one? Instance types define the hardware of the host computer. Categories: General purpose (t3, m6i) — balanced CPU/memory for web servers; Compute optimised (c6i) — high CPU for batch processing; Memory optimised (r6i) — high RAM for in-memory databases; Storage optimised (i3) — high IOPS for databases; GPU instances (p4) — machine learning and HPC.

Q12. What is the difference between stopping and terminating an EC2 instance? Stopping preserves the instance (and its EBS root volume) — you can start it again. Terminating permanently deletes the instance. By default, the EBS root volume is also deleted on termination (this is configurable).

Q13. What is a security group in EC2? A security group acts as a virtual firewall for your EC2 instances, controlling inbound and outbound traffic at the instance level. Rules allow traffic but never deny it explicitly (use NACLs for explicit deny). Security groups are stateful — if inbound port 443 is allowed, the response traffic is automatically allowed outbound.

Q14. What is key pair authentication in EC2? EC2 uses asymmetric cryptography for SSH login. AWS stores the public key; you keep the private key (.pem file). When you SSH into an instance, your client uses the private key to prove identity. Losing the private key means losing SSH access to the instance.

Q15. What is an Elastic IP? An Elastic IP is a static public IPv4 address associated with your AWS account. Unlike a regular public IP (which changes every time you stop/start an instance), an Elastic IP persists. You can remap it to a different instance in seconds — useful for quick failover.

S3 questions (Q16-Q20)

Q16. What are S3 storage classes? S3 Standard (frequent access, highest cost), S3 Standard-IA (infrequent access, lower cost), S3 One Zone-IA (single AZ, 20% cheaper than Standard-IA), S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval (minutes to hours), S3 Glacier Deep Archive (cheapest, 12-hour retrieval), and S3 Intelligent-Tiering (auto-moves objects based on access patterns).

Q17. What is an S3 bucket policy? A resource-based policy attached to an S3 bucket that controls access at the bucket or object level. You can make a bucket publicly readable (for static website hosting), restrict access to specific IAM roles, or require MFA for object deletion.

Q18. What is S3 versioning? When versioning is enabled, S3 stores every version of every object. Deleting an object adds a delete marker (rather than permanently deleting it), allowing recovery. Used to protect against accidental deletion and application errors.

Q19. What is S3 Transfer Acceleration? A feature that speeds up uploads to S3 by routing data through AWS CloudFront edge locations globally. Particularly useful when uploading large files from distant geographic locations.

Q20. What is the maximum object size in S3? A single S3 object can be up to 5 TB in size. Objects larger than 100 MB should use multipart upload (splitting the upload into parts that are uploaded in parallel and reassembled by S3).

IAM questions (Q21-Q25)

Q21. What is an IAM role and how is it different from an IAM user? An IAM user represents a person or application with permanent long-term credentials (access key + secret). An IAM role is an identity with temporary credentials that can be assumed by AWS services (like EC2 or Lambda), other accounts, or identity providers. Best practice: EC2 instances should use roles (not hard-coded access keys) to interact with other AWS services.

Q22. What is an IAM policy? A JSON document that defines permissions. Policies are attached to users, groups, or roles. They specify: Effect (Allow/Deny), Action (e.g., s3:GetObject), Resource (specific ARN or wildcard), and optional Condition.

Q23. What is the principle of least privilege? Grant only the minimum permissions needed to perform a task. An EC2 instance that reads from S3 should have a role with only the s3:GetObject permission on the specific bucket — not full s3:* and never full AdministratorAccess.

Q24. What is MFA in AWS? Multi-Factor Authentication adds a second layer of security. Even if someone steals your password, they cannot access your account without the MFA device (a virtual authenticator app or hardware token). AWS recommends enabling MFA for all IAM users, especially the root account.

Q25. What is AWS STS (Security Token Service)? STS provides temporary security credentials for IAM roles. When an application assumes a role, STS issues credentials with a configurable expiry (15 minutes to 12 hours). These are used instead of long-term access keys for better security.

Lambda and serverless (Q26-Q30)

Q26. What is the maximum execution duration for a Lambda function? 15 minutes (900 seconds). For tasks that take longer, use AWS Step Functions to orchestrate multiple Lambda invocations, or use ECS/EC2 for long-running processes.

Q27. What is a Lambda trigger? An event source that invokes a Lambda function. Common triggers: S3 events (object uploaded), API Gateway (HTTP request), DynamoDB Streams (table changes), SNS (message published), SQS (message in queue), CloudWatch Events/EventBridge (scheduled or rule-based), and Kinesis (streaming data).

Q28. What is cold start in Lambda? When a Lambda function is invoked for the first time (or after a period of inactivity), AWS must initialise a new execution environment — downloading the code, setting up the runtime, and running initialisation code. This adds latency (typically 100ms-1s). Subsequent invocations reuse the warm container. Solutions: Provisioned Concurrency (keeps instances warm) or minimising initialisation code.

Q29. What is API Gateway? Amazon API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. It works as a "front door" for applications to access Lambda functions, other AWS services, or HTTP backends. Used with Lambda for serverless REST APIs.

Q30. What is the difference between SNS and SQS? SNS (Simple Notification Service) is a pub/sub messaging service — a message published to an SNS topic is immediately pushed to all subscribers. SQS (Simple Queue Service) is a message queue — messages are placed in the queue and consumers pull them when ready. SNS is for real-time fan-out; SQS is for decoupling and load levelling.

VPC and networking (Q31-Q35)

Q31. What is a NAT Gateway? A NAT (Network Address Translation) Gateway allows EC2 instances in private subnets to initiate outbound internet traffic (e.g., to download updates) without exposing them to inbound internet connections. The gateway sits in a public subnet and masquerades as the private instance.

Q32. What is VPC peering? A networking connection between two VPCs that enables traffic routing between them using private IP addresses. VPC peering is non-transitive — if VPC A peers with VPC B and B peers with VPC C, A and C cannot communicate without a direct peering.

Q33. What is an Internet Gateway? An Internet Gateway is a VPC component that enables communication between instances in the VPC and the internet. A public subnet has a route table entry pointing to the Internet Gateway for 0.0.0.0/0 traffic.

Q34. What is CloudTrail? AWS CloudTrail records API calls made in your AWS account — who did what, from where, and when. Used for security auditing, compliance, and troubleshooting. Every action in the AWS console, CLI, or SDK is logged as a CloudTrail event.

Q35. What is the difference between Security Groups and NACLs? Security Groups are stateful (return traffic automatically allowed) and operate at the instance level. NACLs (Network Access Control Lists) are stateless (return traffic must be explicitly allowed) and operate at the subnet level. Security Groups support only allow rules; NACLs support both allow and deny rules.

AWS certifications and misc (Q36-Q50)

Q36. What is the AWS Certified Cloud Practitioner exam? The AWS Certified Cloud Practitioner (CLF-C02) is the entry-level AWS certification. It covers Cloud Concepts (24%), Security and Compliance (30%), Cloud Technology and Services (34%), and Billing, Pricing, and Support (12%). Prepare using free resources at AWS Skill Builder.

Q37. What is RDS Multi-AZ? RDS Multi-AZ automatically replicates your database to a standby instance in a different Availability Zone. If the primary instance fails, RDS automatically fails over to the standby with minimal downtime — typically under 60-120 seconds.

Q38. What is the difference between RDS and DynamoDB? RDS is a managed relational database (SQL) suited for structured data with complex relationships and ACID transaction requirements. DynamoDB is a NoSQL database suited for unstructured or semi-structured data with simple access patterns and massive scale requirements.

Q39. What is Elastic Beanstalk? Elastic Beanstalk is AWS's PaaS offering. You upload your application code (in Python, Java, Node.js, Ruby, PHP, Go, or Docker), and Beanstalk automatically handles provisioning EC2, load balancing, auto-scaling, and monitoring. You retain full access to the underlying AWS resources.

Q40. What is AWS CloudFormation? CloudFormation is AWS's Infrastructure as Code (IaC) service. You define your infrastructure in JSON or YAML templates, and CloudFormation creates and manages the corresponding AWS resources. This enables version-controlled, repeatable, automated infrastructure deployment.

Q41. What is the difference between CloudWatch and CloudTrail? CloudWatch monitors the performance of AWS resources and applications (CPU usage, latency, error rates). CloudTrail logs API activity — who made which AWS API call, from which IP, at what time. CloudWatch is for operational monitoring; CloudTrail is for security auditing.

Q42. What is Amazon EKS? Elastic Kubernetes Service (EKS) is AWS's managed Kubernetes service. It runs the Kubernetes control plane across multiple Availability Zones and automatically scales and patches it. EKS is used for containerised applications requiring orchestration beyond what ECS provides.

Q43. What is S3 Cross-Region Replication? CRR automatically replicates objects from an S3 bucket in one AWS Region to a bucket in another Region. Used for disaster recovery, reducing latency for geographically distributed users, and meeting data residency requirements.

Q44. What is AWS WAF? Web Application Firewall (WAF) protects web applications from common web exploits like SQL injection, cross-site scripting (XSS), and bot attacks. You define rules; WAF evaluates incoming HTTP/HTTPS requests and blocks or allows them.

Q45. What is Glacier Deep Archive? The lowest-cost AWS storage class, designed for long-term archival of data accessed very rarely (once or twice per year). Retrieval takes up to 12 hours. Used for regulatory compliance, backup archives, and long-term data preservation.

Q46. What is AWS Config? AWS Config tracks the configuration state of your AWS resources over time. It records when configurations change and evaluates whether those changes comply with your defined rules. Used for compliance auditing and operational troubleshooting.

Q47. What is ElasticSearch/OpenSearch on AWS? Amazon OpenSearch Service is a managed search and analytics engine based on OpenSearch (formerly Elasticsearch). Used for log analytics, real-time application monitoring, and full-text search.

Q48. What is the AWS CDK? The Cloud Development Kit (CDK) lets you define cloud infrastructure using familiar programming languages (TypeScript, Python, Java, C#) rather than YAML/JSON templates. CDK synthesises CloudFormation templates from your code.

Q49. What is an ARN? Amazon Resource Name (ARN) is a unique identifier for every AWS resource. Format: arn:partition:service:region:account-id:resource-type/resource-id. Example: arn:aws:s3:::my-bucket. ARNs are used in IAM policies to specify exact resources.

Q50. What is AWS Trusted Advisor? Trusted Advisor is an online tool that provides real-time guidance to help you provision AWS resources following best practices. It checks across five categories: cost optimisation, performance, security, fault tolerance, and service limits.

AWS cloud interview preparation plan for freshers

Week 1: Cloud computing fundamentals — IaaS/PaaS/SaaS, deployment models, NIST characteristics. AWS global infrastructure (Regions, AZs, Edge Locations). Core services overview.

Week 2: Core services deep dive — EC2 (instance types, launch, security groups, EBS), S3 (storage classes, policies, versioning), IAM (users, roles, policies, least privilege), RDS (managed databases, read replicas, Multi-AZ), VPC (subnets, security groups, NACLs, NAT, routing).

Week 3: Advanced services — Lambda and serverless, CloudFront, Route 53, CloudWatch, Auto Scaling, ELB. Start free AWS Skill Builder labs for hands-on practice.

Week 4: Mock interviews and certification prep. Take AWS Cloud Practitioner practice exams. Use ClavePrep's AI mock interview to practise verbal explanations of cloud concepts.

Frequently asked questions

Is AWS certification required for cloud fresher jobs? Not required, but the AWS Certified Cloud Practitioner certification is strongly recommended. It demonstrates initiative and baseline cloud literacy. Many companies offer salary premiums for certified candidates.

Which AWS services should freshers focus on first? EC2, S3, IAM, VPC, RDS, and Lambda — these form the core of most AWS-based architectures. Add CloudWatch, Auto Scaling, and ELB once you are comfortable with the core six.

How long does it take to prepare for AWS Cloud Practitioner? 2-4 weeks of dedicated study (1-2 hours per day). Use AWS Skill Builder's free learning paths and take 2-3 practice exams before the real one.

Does knowing AWS help in a non-cloud IT role? Yes. Basic cloud literacy is increasingly expected even in non-cloud roles. Understanding deployment environments, cloud storage, and basic networking makes you a more effective developer or analyst.

Prepare for your cloud interview with ClavePrep

Understanding AWS concepts is only the first step — you also need to articulate them clearly under interview pressure. Use ClavePrep's AI mock interview tool to practice cloud interview questions, get feedback on your explanations, and build confidence. Combined with your AWS Skill Builder labs and practice exams, this complete preparation approach will make you stand out in cloud fresher interviews. Visit ClavePrep to start today.