AWS EC2 interview Question and Answers

 

EC2 Instances

What is an EC2 instance?

An EC2 instance is a virtual machine running in the Amazon Elastic Compute Cloud (EC2) environment. It provides scalable compute capacity in the AWS cloud, allowing you to deploy applications without investing in physical hardware. EC2 instances can run various operating systems (Linux, Windows, etc.) and can be resized, stopped, started, or terminated based on needs. They form the core compute layer for applications hosted in AWS.

---

Explain the difference between an instance and an AMI.

An EC2 instance is an operational virtual server currently running in AWS.
An Amazon Machine Image (AMI) is a template used to create instances.

AMI serves as the blueprint containing:

• OS
• Application software
• Configurations
• Optional data

You use AMIs to create new instances rapidly and consistently. Instances are the live, running machines created from these AMIs.

---

How do you launch an EC2 instance?

You can launch an EC2 instance in several ways:

1. AWS Management Console – The GUI-based approach where you pick an AMI, choose instance type, configure storage, networking, security groups, and launch.
2. AWS CLI – Using commands like: 
   aws ec2 run-instances --image-id ami-12345 --instance-type t2.micro
3. AWS SDKs – Using Python, Java, or other languages with programmatic control.

---

What is the significance of an instance type?

Instance types define the hardware characteristics assigned to an instance, such as:

• CPU (vCPUs)
• Memory (RAM)
• Networking throughput
• Storage type and capacity

AWS categorizes instance types into:

• General Purpose
• Compute Optimized
• Memory Optimized
• Storage Optimized
• Accelerated Computing

Choosing the correct instance type directly affects performance, cost, and application behavior.

---

What is the purpose of user data in EC2 instances?

User data lets you supply scripts or configuration commands that run automatically when the instance starts for the first time. Typical use cases include:

• Software installation
• Bootstrapping applications
• File downloads
• System configuration
• Automated deployments

User data scripts run as root and significantly reduce manual configuration effort.

---

How can you stop and start an EC2 instance?

You can stop, start, or restart EC2 instances through:

• AWS Console
• AWS CLI using commands like:
  
  aws ec2 stop-instances --instance-id i-1234
  
  aws ec2 start-instances --instance-id i-1234
• AWS SDK

Stopping an instance shuts it down but preserves its EBS-backed data.

---

What is the difference between stopping and terminating an EC2 instance?

• Stopping an instance:

  • Halts the VM
  • Retains the EBS root volume
  • You can start it again
  • You continue incurring EBS charges

• Terminating an instance:

  • Permanently deletes the VM
  • Deletes the root volume (unless “Delete on Termination” is disabled)
  • Cannot be restarted

---

How do you resize an EC2 instance?

To change the instance type:

1. Stop the instance.
2. Modify instance type from the console or CLI.
3. Start the instance again.

Some instance families require the underlying virtualization type to be compatible.

---

Can you attach an IAM role to an existing EC2 instance?

Yes. You can attach or modify an IAM role for an existing instance by:

• Stopping the instance (sometimes optional)
• Editing IAM role settings
• Restarting the instance

IAM roles eliminate the need to store access keys inside instances.

---

Explain the concept of an Elastic IP address.

An Elastic IP (EIP) is a static public IPv4 address assigned to your AWS account. You can map it to any instance, ensuring:

• The public IP remains the same even if the instance stops/starts
• High availability by remapping it to a standby instance

AWS charges for unused Elastic IPs to encourage efficient usage.

---

Security Groups

What is a security group in EC2?

A security group acts as a virtual stateful firewall controlling inbound and outbound traffic at the instance level. You define rules based on:

• Protocol (TCP, UDP, ICMP)
• Port range
• Source/destination (IP or security group)

---

How is a security group different from a NACL?

Security Group	NACL
Instance-level	Subnet-level
Stateful	Stateless
Automatically allows response traffic	Requires explicit inbound & outbound rules
Applied to EC2 instances	Applied to subnets

---

Can you associate multiple security groups with one EC2 instance?

Yes. An instance can have multiple security groups, and the rules from all associated groups are combined (logical OR).

---

What are inbound and outbound rules?

• Inbound rules: Define allowed incoming traffic to the instance.
• Outbound rules: Define allowed outgoing traffic from the instance.

All unspecified traffic is automatically denied.

---

How does security group evaluation work?

Security groups allow only the traffic explicitly permitted by rules. Because they are stateful:

• If inbound traffic is allowed, outbound response is automatically allowed.
• If outbound traffic is allowed, inbound response is automatically allowed.

Default behavior: deny all unless explicitly allowed.

---

EBS Volumes

What is an EBS volume?

An EBS volume is durable, block-level storage that persists independently from EC2 instances. It replicates data within an Availability Zone to ensure high availability and can be used as:

• Root volumes
• Data volumes
• Database storage

---

Difference between EBS-backed and instance-store backed instances.

• EBS-backed:

  • Root volume stored on EBS
  • Persistent across stop/start
  • Supports snapshots and resizing

• Instance-store backed:

  • Root volume stored on ephemeral storage on host hardware
  • Data is lost if instance stops or fails
  • Higher performance but non-persistent

---

How can you increase EBS volume size?

Steps:

1. Take a snapshot of the existing volume (optional but recommended).
2. Modify the volume size from console or CLI.
3. Expand the filesystem inside the OS.

Modern EBS volumes allow online resizing without detaching.

---

Can you attach multiple EBS volumes to an EC2 instance?

Yes. Instances can have multiple EBS volumes (limited by instance type), each assigned a unique device name like /dev/xvdf.

---

Difference between gp2 and io1.

• gp2 (General Purpose SSD):

  • Balanced price/performance
  • Baseline performance with burst capability

• io1/io2 (Provisioned IOPS SSD):

  • Designed for high I/O workloads like databases
  • You can specify exact IOPS
  • Higher cost and more consistent performance

---

DLM (Data Lifecycle Manager)

What is AWS Data Lifecycle Manager?

AWS DLM automatically manages EBS snapshot creation, retention, and deletion based on defined policies, reducing manual backup management overhead.

---

How do you create a lifecycle policy?

You define:

• Target volumes
• Snapshot frequency
• Retention rules
• Tags

DLM automates snapshot creation and cleanup using the policy.

---

What is a retention policy?

Retention policies specify:

• How many snapshots to keep
• How long snapshots should be retained

Older snapshots are automatically deleted by AWS.

---

Snapshots

What is an EBS snapshot?

A snapshot is a point‑in‑time backup of an EBS disk stored in Amazon S3 (managed internally). You can restore these snapshots to create new EBS volumes or AMIs.

---

How do you create a snapshot?

Through:

• Console
• CLI: aws ec2 create-snapshot --volume-id vol-1234
• SDKs

Snapshots are incremental, storing only changed blocks.

---

Can you snapshot a root volume of a running instance?

Yes, AWS supports snapshots of running volumes. For perfect consistency, especially for databases, stopping the instance or freezing the filesystem is recommended.

---

Difference between a snapshot and an AMI.

• Snapshot = Backup of a single EBS volume.
• AMI = Template to launch instances that includes:
  • OS image
  • Software
  • Configuration
  • One or more snapshots

---

Load Balancers

What is an Elastic Load Balancer?

An ELB automatically distributes incoming traffic across multiple targets (EC2, containers, IP addresses) and ensures high availability and fault tolerance.

---

Types of AWS load balancers:

1. Application Load Balancer (ALB) – Layer 7 (HTTP/HTTPS), intelligent routing, host/path‑based routing.
2. Network Load Balancer (NLB) – Layer 4 (TCP/UDP), high performance, low latency.
3. Classic Load Balancer (CLB) – Legacy Layer 4/7 load balancer.

---

Difference between ALB and NLB.

• ALB – Works at application layer, supports HTTP routing, WebSockets, microservices
• NLB – Works at transport layer, supports millions of connections per second, static IPs

---

What is a Target Group?

Target Groups define where the load balancer forwards traffic. Targets (EC2, IPs, Lambda) are registered and monitored using health checks.

---

Auto Scaling Group

What is Auto Scaling?

Auto Scaling automatically adjusts EC2 capacity based on demand. It helps maintain performance while minimizing cost.

---

How do you set up an Auto Scaling Group?

1. Define a Launch Template or Launch Configuration
2. Create an Auto Scaling Group specifying:
   • Min/Max/Desired capacity
   • VPC and subnets
   • Load balancer (optional)

Scaling policies define when to add/remove instances.

---

Significance of Launch Configurations?

A Launch Configuration is a template describing:

• AMI
• Instance type
• Key pair
• Security groups
• Storage

It ensures new instances launched by Auto Scaling are identical.

---

IAM Roles for EC2

What is an IAM role?

An IAM role is an identity in AWS that provides temporary permissions through policies. It is used by AWS services and applications without exposing credentials.

---

How do you associate an IAM role with EC2?

Either:

• During instance launch
  OR
• Modify the IAM role of a running instance via console or CLI

---

Advantages of IAM roles for EC2?

• No need to store credentials in code
• Automatically rotated temporary credentials
• Centralized access control and least privilege
• More secure than environment variables or config files

---

Elastic Beanstalk

What is AWS Elastic Beanstalk?

Elastic Beanstalk is a Platform‑as‑a‑Service (PaaS) that simplifies application deployment. AWS automatically handles:

• EC2 provisioning
• Load balancing
• Auto scaling
• Monitoring
• Deployment orchestration

You only upload your code.

---

How does Elastic Beanstalk differ from EC2?

• Beanstalk = Fully managed deployment environment
• EC2 = Requires manual setup and management

With Beanstalk, the infrastructure is abstracted away.

---

Supported platforms:

Elastic Beanstalk supports:

• Java, Python, Node.js, Ruby
• Go, PHP, .NET
• Docker
• Nginx/Apache web servers

---

Placement Groups

What is a placement group?

Placement Groups influence how AWS places your instances to meet performance or high availability requirements.

---

Types of placement groups:

1. Cluster – Instances placed close together for high network throughput.
2. Spread – Instances spread across different hardware to reduce failure risk.
3. Partition – Instances split into partitions useful for distributed systems like Hadoop.

---

Cluster vs Spread Placement Group?

• Cluster – Low latency, high bandwidth, but higher failure risk.
• Spread – Isolates instances across hardware for better resilience.

---

Can you move an instance to a placement group?

No. You must:

• Create an AMI of the instance
• Launch a new instance inside the placement group

---

Systems Manager – Run Command

What is AWS Systems Manager Run Command?

A fully managed service that lets you execute commands at scale on EC2 or on-prem servers without SSH/RDP. It centralizes command execution with logging and security controls.

---

How do you run a command on multiple instances?

Using:

• SSM console
• Predefined or custom SSM Document
• Selecting target instances via tags

---

Benefits over SSH/RDP:

• No open inbound ports
• No need for key pairs
• Fully auditable
• Works even without public IPs

---

What are SSM Documents?

JSON/YAML files that define the actions Run Command or Automation should execute. They contain steps, parameters, and execution logic.

---

How do you schedule commands?

Using State Manager, which lets you apply:

• Patches
• Configuration changes
• Scripts

on a defined schedule.

---

Difference between Run Command and Automation:

• Run Command = Manual execution
• Automation = Workflow‑based, event-driven execution

---

Systems Manager – Parameter Store

What is Parameter Store?

A secure hierarchical store for:

• Secrets
• Config values
• Environment variables

Supports versioning and encryption.

---

Types of parameters:

• String – Plain text
• SecureString – Encrypted with KMS

---

How to retrieve a parameter on EC2?

Using CLI:

aws ssm get-parameter --name MyParam --with-decryption

---

Benefits over environment variables/config files:

• Centralized management
• More secure (KMS encryption)
• Versioning
• IAM access control

---

SecureString vs String:

• SecureString: KMS-encrypted, used for secrets
• String: plain text, used for non-sensitive configs

---

Systems Manager – Session Manager

What is Session Manager?

A secure way to connect to EC2 instances using a browser or CLI without SSH/RDP, even if they have no public IP.

---

How does it ensure security?

• IAM‑based access control
• All actions logged in CloudWatch/CloudTrail
• No inbound ports required (0 open ports)

---

Can it connect to on‑prem servers?

Yes, as long as the SSM agent is installed and the server is registered in AWS Systems Manager.

---

Advantages over SSH/RDP:

• No key management
• No open ports
• Full session logging
• Fine‑grained IAM control

---

How do you configure Session Manager?

Ensure:

1. SSM Agent is installed
2. Instance has IAM role with SSM permissions
3. Instance is connected to Systems Manager (via VPC endpoints or internet)