50 aws devops interview questions Practice Questions: Question Bank 2025

A team uses AWS CodePipeline and wants every pull request to run unit tests and create a review environment automatically. The team also needs approvals before merging to main. Which solution best meets these requirements with the least custom code?

A company manages hundreds of AWS accounts using AWS Organizations. Security requires an auditable, automated way to ensure AWS CloudTrail is enabled organization-wide and that all logs are delivered to a central S3 bucket with log file integrity validation. Which solution best meets these requirements?

An application runs on Amazon ECS with AWS Fargate behind an Application Load Balancer (ALB). The team wants to perform canary deployments with automatic rollback when CloudWatch alarms breach. Which approach is best?

A team uses AWS CloudFormation for infrastructure. They want to prevent accidental updates to critical resources (for example, an RDS database) during stack updates while still allowing updates to the rest of the stack. What should they do?

A microservices platform emits structured JSON logs from containers. The company wants to search logs across services, create metric filters, and retain logs for 90 days. Which solution is MOST appropriate?

A company wants to enforce that all Amazon EBS volumes attached to EC2 instances are encrypted. The company also wants to automatically remediate noncompliant resources. Which approach best satisfies these requirements?

A team uses Amazon EKS and wants to reduce incident time by automatically capturing diagnostic data when a pod repeatedly crashes (CrashLoopBackOff). The solution must trigger near real-time and store artifacts centrally for later review. Which solution is best?

A company wants infrastructure changes to be peer-reviewed and automatically validated before deployment. The team uses Terraform and stores code in a Git repository. They want automated checks for security misconfigurations and policy compliance during pull requests. Which solution best meets these requirements?

A mission-critical API runs on EC2 instances in an Auto Scaling group behind an ALB across two Availability Zones. During deployments, the company experiences brief brownouts when instances are terminated before the new instances pass health checks. The company must eliminate brownouts without increasing operational complexity significantly. What should they do?

A company uses AWS CodePipeline to deploy to multiple AWS accounts. A security audit finds that the pipeline role in the tooling account has overly broad permissions (AdministratorAccess) in target accounts. The company needs a least-privilege, scalable model for cross-account deployments with centralized auditing. Which solution is best?

A company uses AWS CodePipeline to deploy to multiple AWS accounts (dev, test, prod). The security team requires that deployments to production can be started only by a specific IAM role in the tooling account, and that all production actions are auditable. Which solution best meets these requirements?

A team manages infrastructure with AWS CloudFormation. A recent update to a stack failed and the stack is now in UPDATE_ROLLBACK_FAILED. The team needs to recover with minimal risk of further changes while preserving existing resources. What should the team do?

An application running on Amazon ECS on AWS Fargate emits JSON logs. The operations team wants to search and visualize these logs, and also get near-real-time alerts when specific error patterns appear. Which approach is the MOST appropriate?

A company uses Amazon EC2 Auto Scaling groups behind an Application Load Balancer. During deployments, the team notices that new instances sometimes receive traffic before the application is fully initialized, causing 5xx errors. What is the BEST way to prevent this?

Security has mandated that all new Amazon EBS volumes and Amazon RDS databases must be encrypted, and any noncompliant resource creation must be prevented. Which solution best enforces this requirement across accounts in an AWS Organization?

A team uses Amazon EventBridge to route operational events to multiple targets. They must ensure that events are not lost if a downstream target is unavailable, and they need the ability to replay events after an incident. Which solution meets these requirements with the LEAST operational overhead?

A company uses AWS CodeBuild for CI. Builds intermittently fail when pulling dependencies from the public internet, and the security team wants to remove direct internet access from the build environment. Which approach will allow builds to succeed without outbound internet access?

An organization wants to standardize configuration management across hundreds of EC2 instances in multiple accounts and Regions. The solution must support applying OS patches, running ad hoc commands, and maintaining an inventory of installed software. Which service should be used?

A production microservice uses Amazon DynamoDB. The team deployed a change that increased request rates and introduced occasional throttling and elevated latency. They need to identify whether the throttling is due to hot partitions or insufficient table capacity, and they want actionable visibility to guide a fix. Which solution is the MOST effective?

A company must enforce that production changes are deployed only after two independent approvals and that the approval identities are recorded for audits. Deployments are executed through AWS CodePipeline. Which solution best satisfies these requirements while minimizing custom code?

A DevOps team uses AWS CodeDeploy for in-place deployments to a fleet of Amazon EC2 instances in an Auto Scaling group. During deployments, instances are terminated by scaling policies, causing frequent deployment failures. The team wants to prevent scale-in from terminating instances that are actively receiving a deployment. What should the team do?

An organization wants to ensure that all newly created AWS resources include mandatory tags (e.g., CostCenter, DataClassification). The organization also wants noncompliant requests to be blocked automatically. Which solution best meets these requirements with the least operational overhead?

A team needs to centralize logs from multiple AWS accounts into a dedicated logging account. The logs must be encrypted at rest and searchable. The solution should support near-real-time ingestion with minimal custom code. Which approach is most appropriate?

A company manages infrastructure using AWS CloudFormation. A recent stack update failed and the stack is stuck in UPDATE_ROLLBACK_FAILED because a resource cannot be deleted due to a retention requirement. The team needs to recover the stack so future updates can proceed. What should the team do?

An application runs on Amazon ECS using the Fargate launch type. The team uses AWS CodePipeline and AWS CodeDeploy with blue/green deployments. They want to automatically roll back deployments when a new task set causes elevated 5xx errors. Which approach best accomplishes this?

A workload uses Amazon RDS for PostgreSQL. The company needs a documented, repeatable incident response process that automatically captures forensic data (e.g., recent logs and configuration) and restricts access when suspicious activity is detected. Which solution best meets these requirements?

A company wants to ensure that container images deployed to Amazon EKS are scanned for vulnerabilities and that only approved images can be pulled by workloads. The company also needs to enforce this consistently across multiple clusters. Which approach best meets these requirements?

A multi-Region application uses Amazon DynamoDB global tables. During a Region-wide impairment, writes in the secondary Region continue but later the primary Region recovers and begins serving traffic again. The team observes unexpected item values due to write conflicts. They need a design that minimizes conflict impact and supports deterministic resolution. What should the team do?

A company runs a regulated workload and must prove that no long-lived credentials are used by CI/CD jobs. The pipeline runs in AWS CodeBuild and needs to deploy to multiple AWS accounts. The company also requires that access be tightly scoped per pipeline action and be fully auditable. Which solution best meets these requirements?

A team uses Amazon S3 to store deployment artifacts. The artifacts must be immutable after upload to meet compliance requirements, and the team must be able to prove that artifacts were not altered or deleted during a retention period. Which solution best meets these requirements?

A company runs containerized microservices on Amazon ECS with the Fargate launch type. During incidents, engineers need to execute a diagnostic command inside a running task without opening inbound ports or managing SSH keys. Which approach meets these requirements with the LEAST operational overhead?

A DevOps team wants AWS CloudFormation to detect when a deployed stack’s resources have drifted from the template so they can review unintended changes. What should the team use?

A team uses Amazon CloudWatch Logs for application logs. They need to be notified when a specific error string ("PAYMENT_FAILED") appears more than 10 times in 5 minutes. Which solution is most appropriate?

A company must ensure that an Amazon S3 bucket containing audit reports cannot be deleted, even by administrators, and that objects cannot be overwritten or removed for a defined retention period. Which feature should be used?

A company uses AWS CodePipeline to deploy a CloudFormation stack to multiple accounts. The security team requires that deployments only occur if all required manual approvals are captured and recorded centrally. Which solution best meets these requirements?

A team uses AWS Systems Manager State Manager to enforce configuration on a fleet of Amazon EC2 instances. Some instances are frequently failing associations. Investigation shows the SSM Agent is running, but the instances cannot reach Systems Manager endpoints. The instances are in private subnets with no internet access. Which change will MOST likely resolve the issue without adding internet connectivity?

A company wants to standardize IAM permissions for workloads across many AWS accounts. Teams should assume a role in their own account, but the permissions must be centrally governed and updated without editing each account’s IAM policies. Which approach best meets these requirements?

A team is troubleshooting intermittent latency in a serverless application that uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. They need end-to-end visibility of a single request as it traverses services, including identifying which downstream call is slow. Which solution provides the best tracing capability?

A company runs a multi-account AWS environment managed by AWS Organizations. They must automatically remediate when any IAM policy allows unrestricted access ("Action": "*" and "Resource": "*") on a role used by CI/CD. The remediation must remove the risky permission quickly and create an audit trail of the change. Which solution is MOST appropriate?

A production web application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The team wants to perform deployments with minimal risk by shifting a small percentage of traffic to a new version and automatically rolling back if error rates increase. The solution must support EC2-based deployments. Which approach best meets these requirements?

A DevOps team must prevent long-lived IAM access keys from being used in CI/CD pipelines. Developers currently store access keys as secrets in a build system to deploy to AWS. The team wants a solution that provides short-lived credentials with minimal operational overhead. What should the team do?

An application runs on Amazon ECS with tasks that sometimes fail health checks due to transient downstream dependency errors. The DevOps team wants to quickly identify whether the failures are correlated with specific dependency latency spikes. Which approach provides the MOST direct visibility with the least code changes?

A team manages infrastructure using AWS CloudFormation. They need to preview how a stack update will affect resources before applying changes, including which resources will be replaced. What should they use?

A company uses AWS CodePipeline to deploy a microservice to Amazon EKS. They want progressive delivery using a canary rollout so that 10% of traffic goes to the new version for 15 minutes, then automatically proceeds to 100% if no alarms breach. Which solution best meets this requirement with minimal custom tooling?

A DevOps team needs to run the same AWS Systems Manager Automation document across hundreds of accounts in an AWS Organization whenever a new critical patch is released. They must ensure execution is centrally controlled and auditable, and they want to avoid building custom cross-account tooling. What should they do?

A team uses Terraform to provision AWS resources. They want to detect and prevent manual changes (drift) in production resources and automatically open a ticket when drift occurs. Which approach best meets the requirement while integrating with AWS-native controls?

An application uses Amazon SQS standard queues. During traffic spikes, the processing fleet falls behind and messages accumulate. The team wants to automatically scale the consumers based on the backlog, and they need the scaling signal to reflect both queue depth and time-to-drain. What is the MOST appropriate scaling metric to use?

A company ingests application logs into Amazon CloudWatch Logs. They need to run ad hoc queries across multiple log groups, detect anomalous error-rate patterns, and retain logs for 2 years. The solution must minimize operational overhead and avoid managing servers. What should they do?

A security team needs to ensure that any new Amazon S3 bucket created in the organization denies public access and enforces encryption with AWS KMS keys. They want preventative controls that apply automatically to all accounts, including newly created accounts. Which solution best meets these requirements?

A mission-critical workload runs on Amazon EC2 in an Auto Scaling group behind an Application Load Balancer. The team observes that during an Availability Zone impairment, the Auto Scaling group continues attempting to launch instances in the impaired AZ, causing prolonged reduced capacity. They need the system to maintain capacity by shifting launches to healthy AZs automatically and quickly. What should they do?