AWS Cloud Admin is the most prestigious job in this era but you have to crack the Cloud Interview first to get this job. But cracking cloud interviews is very tough and you must have in depth knowledge of each and every service you worked upon. Here we consolidated Top 25 AWS Cloud Admin Interview Questions and Answers for experienced sysadmins. Just go through them and you will feel more confident during interviews.
Que:1- How can I change an EBS volume type and increase a volume size?
Ans : First choose the volume that you want to modify and then click on Actions and choose Modify Volume. Then Modify volume window displays the volume ID and current configuration of the volume, including type, size, and IOPS. You can change any of these or all of these settings in a single action.
Que:2- I just created an EBS volume but I’m not able to attach it to my EC2 instance. how can you resolve it?
Ans : Possibly, the instance and volume are in different AZs. Then create a snapshot of that volume and after that create the volume using the snapshot in the same region where the EC2 instance had been launched and attach it to the instance.
Que:3- Difference between AMI and Snapshot?
Ans : An Amazon Machine Image (AMI) is nothing but a template which contains a software configuration (for instance, an operating system, an application server and applications). From this AMI, you can launch instances which is a copy of the AMI running as a virtual server in the cloud.
Whereas snapshots are the backup of the data on your EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are the incremental backups which means that only the blocks on the device that have changed after your most recent snapshot are saved. When you remove/delete a snapshot only the data reside into that snapshot is removed.
Que:4- Where do you define subnets while configuring auto scaling?
Ans : You neither define subnets while configuring launch configuration nor while configuring auto-scaling. Subnets are only defined while creating Elastic Load Balancer (ELB).
Que: 5- You have two servers (X & Y) in your AWS account and you have allowed ssh access between both of them but you are unable to ping from each other. What could be reason and how would you resolve it?
Ans : Possibly, ICMP protocol is not allowed between them in security groups, allow the same . In case ICMP are allowed in security groups. Then allow ICMP on the NACLs.
Que:6- How will you configure password login on your AWS EC2 instance?
Ans : You can enable password based login by using following steps,
- Create a user, assign a password to it
- Make entry in /etc/sudoers.d/
- Edit /etc/sshd/sshd_config file and uncomment Password Authentication Yes
Que:7- How will you configure a password-less or key-based access between two servers?
Ans : You can make this with the below steps,
- Create a key pair on both the servers using ssh-keygen -t rsa
- Create a .ssh/autorized_keys on both the servers.
- Copy the server A key on the above path of server B and do vice-versa.
- Change permission using chmod -R 700 to .ssh directory.
- Change permission using chmod -R 600 to authorized_keys file.
Que:8- What is a Bastion host?
Ans : Bastion hosts are the jump servers to allow access to the host in the private subnet. The configurations of the bastion hosts usually as follows,
- Bastion needs to be configured to allow inbound ssh access (tcp port – 22) only from restricted ips (10.202.16.120/32, here it indicates exact IP address)
- Instances in Private subnet must allow inbound ssh access only from bastion host.
Que:9- What are Route53 routing policy use cases?
Ans : AWS Route53 is a fully managed DNS service, it allows us to host or buy domains with AWS. Route53 support different routing policy to direct your traffic to your resources. Policies are
Que:10- While connecting to your instance what are the possible connection issues one might face?
Ans : The possible connection errors, one might encounter while connecting instances are,
- Connection timed out
- User key not recognized by the server
- Host key not found, permission denied
- Unprotected private key file
- Server may refuse key or No other supported authentication method available
Que:11- How do you update an new AMI in auto-scaling group?
Ans : Once a launch configuration group is created you cannot modify it. In order to change the AMI you have to create a new launch config group. After creating the new launch configuration group attach that to the auto scaling group and terminate the old instances one by one.
Que:12- How will you configure a public and private subnet in VPC?
Ans : Here are the few steps to configure public and private subnets in VPC,
First create custom VPC, Create 2 subnets, create an Internet gateway (IGW) and assign it to the VPC.
- To create a public subnet : Create a route table associate the subnet and create a route using IGW ARN.
- To create a private subnet : Create a NAT gateway, create a route table, associate the subnet and create a route using NAT ARN.
Que:13- How will you do harden of a new AWS account?
Ans : You can harden a new AWS account as follows,
- Never share the root password with any user and disable the root access keys.
- Enable MFA (Multi Factor Authentication) on root account.
- Create IAM groups and assign required policies.
- Create IAM users and add then into respective groups. Make sure all will have only the required access no additional access will be given to any user without approvals.
- Set password retention policy.
- Always allow only required rule in NACLs and Security groups.
Que:14- How will you revoke the access keys?
Ans : If your ec2 instance or any other service gets compromised, then you must revoke access keys as follows,
Console > IAM Consoles > User > Security credentials > make inactive
Que:15- What are T2 instances?
Ans : T2 instances are designed to provide moderate baseline performance and the capability to burst
to higher performance as required by workload
Que:16- In VPC with private and public subnets, database servers should ideally be launched into which subnet?
Ans : Ideally, it is recommended to launch all database servers into private subnets.
Que:17- Mention what are the security best practices for Amazon EC2?
Ans : For secure Amazon EC2 best practices, follow the following steps,
- Use AWS identity and access management (IAM) to control access to your AWS resources.
- Restrict access by allowing only trusted hosts or networks to access ports on your instance.
- Review the rules in your security groups regularly.
- Only open up permissions that you require.
- Disable password-based login for instance, launched from your AMI.
Que:18- How can you vertically scale an Amazon EC2 instance?
Ans : Amazon EC2 instances can be scaled vertically. For that Spin up a new instance with large configuration than the one you are currently running. Now pause this instance and detach the root ebs volume from the instance and discard.
Then stop your live old instance and detach its root volume and note the unique device ID and attach that root volume to your new instance with large configuration and then start it.
Que:19- What does an AMI include?
Ans : An AMI includes the following things,
- A template for the root volume of the instance.
- Launch permissions which AWS accounts can avail the AMI to launch instances.
- A block device mapping that determines that the volumes to attach to the instance when it is launched.
Que:20- What is the difference between Security groups and NACLs?
Ans : In AWS, One can harden their instances in 3 ways,
- OS based firewall
- Security Groups
- Network Access Control Lists (NACLs)
Both security groups and NACLs together helps to build a layered network defense.
|It acts at instance level.||It acts at subnet level. It is a numbered list of rule and lowest rule number will have the highest priority.|
|It allows to add or remove rules for both ingress and egress traffic to the instance.||A Network ACLs (NACLs) is a layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets.|
|Only allow rules, no deny rule.||NACLs has separate inbound and outbound rule. Each rule can either allow or deny the traffic.|
|It comes with default allow all egress and no ingress traffic.||Default ACL allows all inbound and outbound traffic. Newly created ACL denies all in and out traffic.|
|These are stateful – Return traffic is automatically allowed, regardless of any rule.||These are stateless – Return traffic must be explicitly allowed by rules.|
Que:21- What will you do if a server in your environment gets compromised and you have your AWS keys on that?
Ans : Although it is not recommended to place your keys on EC2 instance, always use IAM roles. For this scenario firstly, I’ll stop the instance so that the attacker will not be able to reach to other instances or if there is no critical workload I will terminate it if I have a latest AMI of that instance.
Secondly, as there is access key configured on the server. I’ll inform the team members and manager about this incident, create a new access and secret key, replace the existing key if it is used somewhere else and revoke the old key. Also, I’ll make sure that going further the keys should not be used on the instances and this can be achieved using the IAM roles.
Que:22- How many buckets can you create in AWS by default?
Ans : By default, you can create upto 100 buckets in each of your AWS accounts. If you need more buckets, you can increase your account bucket limit to a maximum 1,000 buckets by submitting a service limit increase request to AWS Support.
Que:23- How many IAM keys a user can have?
Ans : At time a user can have 2 active IAM access and secret key only.
Que:24- How do you update an new AMI in auto-scaling group?
Ans : Once a launch configuration group is created you cannot modify it. In order to change the AMI you have to create a new launch config group. After creating the new launch configuration group attach that to the autoscaling group and terminate the old instances one by one.
Que:25- What are the types of pricing models for EC2 instances and what is the difference between them?
Ans : Reserved, Spot and On-demand instances.
Read more here: Elastic Compute Cloud EC2 on Amazon Web Services
Hence, you have gone through Top 25 AWS Cloud Admin Interview Questions and Answers. I must say you are feeling more confident now to crack aws cloud interview. Please stay tuned for more.