AWS DevOps Interview Questions and Answers

Table of Contents

Q1. Candidate Introduction and DevOps Experience

Answer:

I have xx years of experience working as a DevOps Engineer. Currently, I am employed at xxxxxx, where I work with multiple DevOps tools and cloud platforms to build, automate, and manage scalable infrastructure.

Hands-on Experience:

CI/CD: Jenkins (Declarative pipelines), GitHub Actions (Jenkins-to-GitHub Actions migration)
Cloud: AWS – EC2, EBS, ELB, Auto Scaling, Route 53, EFS, EKS
Infrastructure as Code: Terraform
Containers: Docker and Kubernetes
GitOps: Argo CD
Automation: Ansible and Atlantis
Monitoring: Prometheus
Scripting: Shell scripting and Python

Q2. Can you write Jenkins Declarative CI/CD Pipeline ?

Answer:

Below is a complete Jenkins Declarative Pipeline that covers code checkout, build, SonarQube analysis, Docker image build, and deployment to Amazon EKS.

pipeline {
  agent any
environment {
DOCKER_IMAGE = "myapp:latest"
}
stages {
stage('Checkout') {
steps {
git branch: 'main', url: 'https://github.com/example/repo.git'
}
}
stage('Build') {
steps {
sh 'mvn clean package'
}
}
stage('SonarQube Analysis') {
steps {
withSonarQubeEnv('sonarqube-server') {
sh 'mvn sonar:sonar'
}
}
}
stage('Docker Build') {
steps {
sh 'docker build -t $DOCKER_IMAGE .'
}
}
stage('Deploy to EKS') {
steps {
sh 'kubectl apply -f deployment.yaml'
}
}
}
}

Q3. Can you write Terraform Code to Launch EC2 in an Existing VPC ?

Answer:

provider "aws" {
  region = "us-east-1"
}
data "aws_vpc" "existing" {
filter {
name   = "tag:Name"
values = ["my-vpc"]
}
}
data "aws_subnets" "selected" {
filter {
name   = "vpc-id"
values = [data.aws_vpc.existing.id]
}
}
resource "aws_instance" "example" {
ami           = "ami-0abcdef1234567890"
instance_type = "t2.micro"
subnet_id     = data.aws_subnets.selected.ids[0]
tags = {
Name = "MyInstance"
}
}

Q4. How can you retrieve existing AWS Resources in Terraform ?

Answer:

Terraform uses data blocks to fetch and reference existing AWS resources without recreating them.

Example

data "aws_vpc" "existing" {
  filter {
    name   = "tag:Name"
    values = ["my-existing-vpc"]
  }
}

Q5. What are the Deployment Strategies and which provides Zero-Downtime Deployments ?

Answer:

Recreate: Stops the old version before deploying the new one.
Rolling: Gradually replaces instances.
Blue-Green: Runs two environments and switches traffic (zero downtime).
Canary: Releases to a small subset of users first.
A/B Testing: Routes traffic to multiple versions for comparison.

Zero-downtime strategies: Blue-Green and Canary deployments.

Q6. How do you configure Host-Based and Path-Based Routing in AWS ALB ?

Answer:

Host-Based Routing: Routes traffic based on domain name.

Example: api.example.com → API Target Group

Path-Based Routing: Routes traffic based on URL path.

Example: example.com/api → API Target Group

Steps

Create separate target groups
Add ALB listener rules
Define host or path conditions

Q7. What is IAM Cross-Account Role in AWS ?

Answer:

An IAM cross-account role allows one AWS account to securely access resources in another AWS account without sharing credentials.

Example Use Case

Create a role in Account B with a trust policy for Account A
Use sts:AssumeRole from Account A

Q8. What is AssumeRole in AWS?

Answer:

AssumeRole is an AWS STS operation that provides temporary security credentials to access AWS resources.

It is commonly used for cross-account access, CI/CD pipelines, and privilege escalation with controlled permissions.

Q9. How do you Troubleshoot an EC2 Instance when Health Check Failures happens ?

Answer:

System Status Check Failure

AWS infrastructure issue
Stop and start the instance

Instance Status Check Failure

OS or filesystem issue
Detach root volume and attach to a healthy EC2
Fix issues or create a new AMI

Recovery Option

Take snapshot
Launch new instance from snapshot

Q10. Can you write a Python script to read and print a file line by line?

Answer:

Yes. The following Python script reads a file line by line and prints each line after removing extra spaces.

Example

with open("application.log", "r") as file:
    for line in file:
        print(line.strip())

Q11. What types of parameters can Jenkins pipelines accept?

Answer:

String Parameter
Boolean Parameter
Choice Parameter
Password Parameter
File Parameter

Q12. What is the difference between ALB and NLB?

Answer:

ALB (Layer 7): Works with HTTP/HTTPS and supports host-based and path-based routing.
NLB (Layer 4): Works with TCP/UDP traffic and handles very high performance workloads.

Q13. How do you restrict application access to a specific domain?

Answer:

You can restrict access using the following methods:

AWS WAF: Allow or block requests based on domain rules.
ALB Listener Rules: Match Host headers.
Route 53: Control DNS routing.

Example: ALB Host Header Rule

Field: host-header
Values: ["example.com"]

Q14. What is the difference between git merge and git rebase?

Answer:

git merge combines two branches and creates a merge commit.

git rebase moves commits on top of another branch to create a clean, linear history.

Example

git checkout feature
git rebase main

Q15. Can you write an Ansible playbook that calls another playbook?

Answer:

First Playbook (first_playbook.yml)

---
- name: First playbook that calls another playbook
  import_playbook: second_playbook.yml

Second Playbook (second_playbook.yml)

---
- name: Second playbook
  hosts: localhost
  gather_facts: false
tasks:
- name: Print a welcome message
debug:
msg: "Hello from the second playbook!"
- name: Print current date and time
command: date
register: current_time
- name: Show current date and time
debug:
var: current_time.stdout

Q16. How do you dynamically open multiple ports in a security group?

Answer:

You can pass a list of ports as a variable and loop through them using a dynamic block.

Example

variable "allowed_ports" {
  type    = list(number)
  default = [22, 80, 443]
}
resource "aws_security_group" "example" {
name = "example-sg"
dynamic "ingress" {
for_each = var.allowed_ports
content {
from_port   = ingress.value
to_port     = ingress.value
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
}

Q17. What is the difference between Authentication and Authorization?

Answer:

Authentication: Verifies who the user is (username, password, MFA).
Authorization: Determines what actions the user can perform.

Q18. Can you write Terraform code to provision an EC2 instance?

Answer:

resource "aws_instance" "example" {
  ami           = "ami-0abcdef1234567890"
  instance_type = "t2.micro"
vpc_security_group_ids = ["sg-12345678"]
tags = {
Name = "ExampleInstance"
}
}

Q19. What is the most cost-efficient deployment strategy?

Answer:

Blue-Green Deployment is considered cost-efficient because traffic is switched to the new environment only after validation. Once confirmed stable, the old environment can be shut down immediately, reducing unnecessary resource usage.

Q20. Difference between Rolling Update and Blue-Green Deployment?

Answer:

Rolling Update: Gradually replaces old instances with new ones, minimizing downtime.
Blue-Green Deployment: Maintains two full environments and switches traffic instantly.

Q21. What is Canary Deployment?

Answer:

Canary Deployment releases a new version to a small percentage of users first (for example, 10% or 25%). If the release is stable, traffic is gradually increased. If issues occur, traffic is rolled back quickly.

Q22. How do you access an S3 bucket from EC2 without access keys?

Answer:

Attach an IAM Role to the EC2 instance with permissions to access the required S3 bucket.

Example IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-specific-bucket",
        "arn:aws:s3:::my-specific-bucket/*"
      ]
    }
  ]
}

Q23. How do you restrict access to only one S3 bucket?

Answer:

Specify the exact bucket ARN in the IAM policy Resource field. This ensures access is limited to only that bucket.

Q24. If you cannot access your EKS cluster, what steps would you take?

Answer:

Verify IAM permissions for the user or role.
Check Kubernetes RBAC (RoleBindings and ClusterRoleBindings).
Update kubeconfig using AWS CLI.

aws eks update-kubeconfig --region us-east-1 --name cluster-name

Q25. What are the different types of Kubernetes Services?

Answer:

ClusterIP: Internal access within the cluster
NodePort: Exposes service on each node’s IP
LoadBalancer: Exposes service via cloud load balancer
ExternalName: Maps service to an external DNS name

Q26. What is kube-proxy?

Answer:

kube-proxy manages network rules on each node and enables communication between services and pods by forwarding traffic to the correct backend.

Q27. What is a Headless Service?

Answer:

A Headless Service is created by setting clusterIP: None. It provides direct access to pod IPs without load balancing and is commonly used for stateful applications.

Example

apiVersion: v1
kind: Service
metadata:
  name: my-headless-service
spec:
  clusterIP: None
  selector:
    app: myapp

Q28. What is HPA (Horizontal Pod Autoscaler)?

Answer:

Horizontal Pod Autoscaler (HPA) automatically scales the number of pod replicas based on CPU utilization, memory usage, or custom metrics.

Example

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: my-app-hpa
spec:
  minReplicas: 2
  maxReplicas: 5
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 50

Q29. What is VPA (Vertical Pod Autoscaler)?

Answer:

Vertical Pod Autoscaler (VPA) automatically adjusts CPU and memory requests and limits for pods based on usage patterns.

Helps optimize resource allocation
Recommended for long-running workloads
Not suitable for short-lived pods or horizontal scaling use cases

Q30. What are Liveness and Readiness Probes?

Answer:

Liveness Probe: Checks if the container is running. If it fails, Kubernetes restarts the container.
Readiness Probe: Checks if the pod is ready to receive traffic.

Example

livenessProbe:
  httpGet:
    path: /health
    port: 8050
  initialDelaySeconds: 10
  periodSeconds: 5
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5

Q31. Pods are getting evicted after deployment. How do you troubleshoot?

Answer:

Steps to troubleshoot pod eviction:

Run kubectl describe pod <pod-name> to check events
Check node resource pressure (memory, disk, or CPU)
Verify pod resource requests and limits
Check node affinity or anti-affinity rules

Q32. How do you manually scale a Kubernetes deployment?

Answer:

Using kubectl

kubectl scale deployment my-deployment --replicas=5

Using YAML

spec:
  replicas: 5

Q33. What should you check before upgrading a Kubernetes cluster?

Answer:

Check deprecated APIs using tools like pluto
Take backups of workloads and persistent data
Upgrade the control plane before worker nodes
Use a canary upgrade strategy (upgrade nodes gradually)
Verify compatibility of monitoring and logging tools

Q34. Difference between NodePort and LoadBalancer?

Answer:

NodePort: Exposes the service on a fixed port on every node. Requires accessing <NodeIP>:<Port>.
LoadBalancer: Automatically provisions a cloud provider’s external load balancer.

Q35. Difference between Ingress and Service?

Answer:

A Service exposes pods within the cluster using ClusterIP, NodePort, or LoadBalancer.

Ingress manages external HTTP/HTTPS access to services using routing rules.

Ingress Example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

Q36. What are ConfigMaps and Secrets?

Answer:

ConfigMap: Stores non-sensitive configuration data as key-value pairs.
Secret: Stores sensitive data like passwords and tokens (base64 encoded).

Q37. How do you patch worker nodes in Amazon EKS?

Answer:

Using Managed Node Groups

aws eks update-nodegroup-version \
  --cluster-name my-cluster \
  --nodegroup-name my-nodegroup

Unmanaged Node Groups

Update the AMI
Recreate instances using Auto Scaling Groups

Q38. How do you monitor Amazon EKS clusters?

Answer:

Amazon EKS clusters are monitored using a combination of logging and metrics tools.

ELK Stack (Elasticsearch, Logstash, Kibana) for log analysis
Fluentd or Filebeat to ship logs from pods
AWS CloudWatch for infrastructure metrics and alerts

Q39. How do you integrate Kibana with Kubernetes?

Answer:

Deploy Elasticsearch, Logstash, and Kibana using Helm or manifests
Install Fluentd or Filebeat as a DaemonSet
Configure log forwarding using ConfigMaps
Kibana reads data from Elasticsearch for visualization

Q40. What branching strategy are you following?

Answer:

We follow a multi-environment branching strategy:

dev → qa → pre-prod → prod
feature/* branches for new development
hotfix/* branches for urgent fixes

Code is promoted by merging changes progressively across environment branches.

Q41. How do you promote a Docker image from Dev to QA without merging code?

Answer:

Tag the Docker image (e.g., myapp:1.0-dev)
Push the image to Docker Hub or another registry
Update the QA deployment YAML with the new image tag
Apply the changes using kubectl or let ArgoCD sync them

Example

containers:
  - name: myapp
    image: myrepo/myapp:1.0-dev

Q42. How does Jenkins trigger a job when code is pushed to GitHub?

Answer:

GitHub Webhooks send a POST request to Jenkins
Jenkins identifies the repository and branch
The configured job is triggered automatically

Q43. How does Kubernetes authenticate when pulling images from Docker Hub?

Answer:

Kubernetes uses image pull secrets that store Docker registry credentials.

Example

kubectl create secret docker-registry my-docker-secret \
  --docker-username= \
  --docker-password= \
  --docker-email=

Reference in Deployment

spec:
  imagePullSecrets:
    - name: my-docker-secret

Q44. How does a Kubernetes Service identify the correct pods?

Answer:

Kubernetes services use labels and selectors to route traffic to the correct pods.

Example

metadata:
  labels:
    app: myapp
spec:
selector:
app: myapp

Q45. How do you restrict communication between Kubernetes namespaces?

Answer:

Use Kubernetes Network Policies to control traffic between namespaces.

Example

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-other-namespaces
  namespace: namespace1
spec:
  podSelector: {}
  ingress:
    - from:
        - podSelector: {}

Q46. Difference between Deployment and StatefulSet ?

Answer:

Deployment: Used for stateless applications. Pods are interchangeable.
Stateful Set: Used for stateful workloads with stable identities and storage.

Stateful Sets provide ordered deployment, stable hostnames, and persistent volume claims per pod.

Q47. How do you connect to a Linux server? What issues can occur?

Answer:

We connect using SSH.

Wrong PEM key → Permission denied (publickey)
Wrong username or password
Network issues or incorrect IP
Private subnet access requires a Bastion Host

Q48. What is a Bastion Host?

Answer:

A Bastion Host is a publicly accessible server that provides secure access to instances in a private subnet.

Q49. What are the prerequisites to run Terraform on AWS?

AWS provider configuration
IAM permissions to create resources
Remote state management (S3 + DynamoDB for locking)

Q50. Where do you store Terraform state files?

Answer:

We store Terraform state in an S3 remote backend.

Example

terraform {
  backend "s3" {
    bucket = "my-tf-state"
    key    = "env/prod/terraform.tfstate"
    region = "us-west-2"
  }
}

Q51. What is DevOps?

Answer:

DevOps is a culture and set of practices that combines development and operations to deliver software faster and more reliably through automation, CI/CD, Infrastructure as Code, and monitoring.

Q52. What is Prometheus?

Answer:

Prometheus is an open-source monitoring system that collects metrics using a pull model and stores them in a time-series database. It is commonly used with Grafana.

Q53. How does Prometheus collect node-level metrics in Kubernetes?

Answer:

By deploying Node Exporter as a Daemon Set so that each node exposes metrics.

Q54. How do you collect metrics from a node outside Kubernetes?

Answer:

Install Prometheus Node Exporter on the external VM and configure Prometheus to scrape it.

Example

scrape_configs:
  - job_name: "external-node"
    static_configs:
      - targets: [":9100"]

Q55. How is your application containerized and deployed?

Answer:

The application is containerized using Docker and deployed on Kubernetes with a multi-container pod architecture.

App Container: Runs application logic
Log Container: Collects and pushes logs
Operations Container: Handles metrics and monitoring

A CLI tool is used to configure the application using gRPC calls for configuration updates and directory settings.

Q56. What is the difference between Stateful Set and Daemon Set in Kubernetes?

Answer:

StatefulSet

Used for stateful applications
Provides stable pod names (pod-0, pod-1)
Uses Persistent Volume Claims (PVCs)
Data is retained even if the pod restarts

Use cases: Databases like MySQL, PostgreSQL, MongoDB

volumeClaimTemplates:
- metadata:
    name: data
  spec:
    accessModes: ["ReadWriteOnce"]
    resources:
      requests:
        storage: 1Gi

DaemonSet

Ensures one pod runs on every node
Used for node-level services

Use cases: Fluentd, Node Exporter, monitoring agents

kind: DaemonSet
spec:
  template:
    spec:
      containers:
      - name: log-agent
        image: fluentd

Q57. What are Labels and Selectors in Kubernetes?

Answer: Labels are key-value pairs attached to Kubernetes objects. Selectors are used to filter and group resources based on those labels.

metadata:
  labels:
    app: frontend

kubectl get pods --selector app=frontend

Q58. How do you troubleshoot a pod in an error state?

Answer:

Check pod logs

kubectl logs pod-name -n namespace

Describe the pod to view events

kubectl describe pod pod-name -n namespace

Q59. Did you write Dockerfiles? What is the difference between ENTRYPOINT and CMD?

Answer: Yes, I have written Dockerfiles.

ENTRYPOINT: Defines the main command that always runs
CMD: Provides default arguments and can be overridden

ENTRYPOINT ["python"]
CMD ["app.py"]

Default execution: python app.py

Q60. What is the difference between COPY and ADD in Dockerfile?

Answer:

COPY: Copies files from host to container
ADD: Supports tar extraction and remote URLs

Best practice: Use COPY unless ADD features are required

COPY localfile.py /app/
ADD archive.tar.gz /app/

Q61. Explain CI/CD Pipeline Architecture?

Answer:

CI handled using Jenkins
Triggered via GitHub webhookBuilds Docker images and runs tests
Images pushed to Docker Hub
CD handled using ArgoCD (GitOps)

Q62. What monitoring tools have you used?

Answer:

Prometheus for metrics
Grafana for visualization
ELK stack for log aggregation
AWS CloudWatch for alerts

Q63. What is Observability?

Answer: Observability is the ability to understand system behavior using logs, metrics, and traces.

Q64. What is the difference between Logs, Metrics, and Traces?

Logs: Text-based events
Metrics: Numerical performance data
Traces: Request flow across services

Q65. What is a Kubernetes Deployment and ReplicaSet?

Answer:

Deployment: Manages the lifecycle of applications, including rolling updates, rollbacks, and scaling.
ReplicaSet: Ensures that a specified number of pod replicas are running at all times.

Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.21

Q66. What is AWS VPC and Subnet?

Answer:

VPC (Virtual Private Cloud): A logically isolated virtual network in AWS.
Subnet: A subdivision of a VPC to group resources based on security or availability zones.

Example:

VPC CIDR: 10.0.0.0/16
Public Subnet CIDR: 10.0.1.0/24
Private Subnet CIDR: 10.0.2.0/24

Q67. Difference Between Security Group vs NACL ?

Answer:

Security Group: Stateful, instance-level firewall that allows inbound/outbound traffic.
NACL (Network ACL): Stateless, subnet-level firewall controlling inbound/outbound traffic rules.

Example:

Security Group allows SSH (port 22) for a specific instance.
NACL allows HTTP (port 80) for an entire subnet.

Q68. What is Terraform State File?

Answer:

Terraform state file stores resource mappings between your configuration and real-world infrastructure. It helps Terraform track resource changes and supports remote state storage for collaboration and safety.

Example:

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-demo-bucket"
}

Terraform stores this mapping in terraform.tfstate. Remote storage example: S3 bucket + DynamoDB locking.

Q69. What is Drift in Terraform?

Answer:

Drift occurs when infrastructure changes outside Terraform, causing the real-world state to differ from Terraform state.

Example:

Someone manually adds a tag to an AWS EC2 instance.
Terraform plan will detect this drift and can correct it.

Q70. What is an Ansible Playbook?

Answer:

An Ansible Playbook is a YAML file that automates configuration, orchestration, and application deployment.

Example:

- hosts: webservers
  tasks:
    - name: Install nginx
      apt:
        name: nginx
        state: present

Q71. How do you debug a production issue?

Answer:

Check monitoring alerts (Grafana / CloudWatch)
Analyze logs using ELK stack or CloudWatch Logs
Review recent deployments or configuration changes
Rollback to the previous stable version if needed

Q72. Tell me about a recent outage you handled.

Answer:

A recent deployment caused increased memory usage, leading to pod restarts. We identified missing resource limits and fixed it by setting proper CPU/memory requests and limits in the pod spec.

Q73. What did you learn from it?

Answer:

Always define resource requests and limits and perform load testing before production deployment.

Q74. What Kubernetes version are you currently using?

Answer:

We are using a managed EKS cluster running Kubernetes v1.27. Version may vary based on AWS updates.

Q75. A pod is stuck in CrashLoopBackOff. How do you troubleshoot?

Answer:

Check pod logs: kubectl logs pod-name
Inspect init containers for failures
Verify environment variables and secrets
Check liveness and readiness probes

Q76. How do you enforce tenant isolation in Kubernetes?

Answer:

Use separate namespaces per tenant
Implement RBAC policies
Apply Network Policies for traffic control
Set resource quotas and limits per namespace

Q77. App shows intermittent 502 errors via Ingress during high traffic. How do you debug?

Answer:

Check Ingress controller logs
Verify backend service health
Check pod scaling and HPA configuration
Review timeout and load balancer settings

Q78. How do you overcome merge conflicts?

Answer:

Rebase frequently to keep your branch updated.
Resolve conflicts locally using git tools or IDEs.
Test thoroughly before merging to main or master.

Q79. What is Terraform and how is it different from CloudFormation and Ansible?

Answer:

Terraform: Multi-cloud Infrastructure as Code (IaC) tool.
CloudFormation: AWS-specific IaC tool.
Ansible: Configuration management and automation tool.

Q80. What happens if Terraform state file is deleted?

Answer:

If the Terraform state file is deleted, Terraform loses track of resources. The infrastructure still exists in the cloud, but you must re-import resources to manage them again.

Q81. Difference Between NAT Gateway and Bastion Host ?

NAT Gateway: Provides outbound internet access for private subnets.
Bastion Host: Provides secure SSH/RDP access to instances in private subnets.

Q82. How many IPs are reserved by AWS in a subnet?

Answer:

AWS reserves 5 IP addresses per subnet: first four and the last IP of the CIDR block.

Q83. If you have 10 layers in a Docker file and layer 6 fails, after fixing it, where will the rebuild start from, and why?

Answer:

If a Docker build fails at layer 6, Docker will rebuild from layer 6 onward using the cached layers 1–5 to optimize the build process.

Q84. Why Stateful Set over Deployment with PVC?

Answer:

Stateful Sets provide:

Stable pod identity (persistent network IDs and hostnames)
Ordered deployment and scaling
Per-pod persistent storage (via PVCs)

Q85. Will Stateful Set pods always stay on the same node?

Answer:

No. Pod identity remains the same, but Kubernetes may reschedule pods to a different node during failures or upgrades.

Q86. How do you access RDS in a private subnet?

Answer:

Via a bastion host that has access to the private subnet.
Using a VPN or AWS Direct Connect for secure connectivity.

Q87. Which SonarQube edition have you used?

Answer:

I have used SonarQube Community Edition and SonarCloud for CI/CD integration.

Q88. How do you upgrade an Amazon RDS MySQL database from version 7.0 to 8.0?

Answer:

Upgrading RDS MySQL should be tested in lower environments before production.

Check compatibility (deprecated features, SQL mode changes).
Create a snapshot backup of the RDS instance.
Upgrade any read replicas first (if present).
Modify the RDS instance and select MySQL 8.0 as the target engine version.
Decide whether to apply immediately or during the maintenance window.
Monitor logs and application connectivity post-upgrade.

Best Practice: Always upgrade in QA/staging before production.

Q89. How do you configure RDS so that only one user can access it at a time?

Answer:

This can be enforced at multiple layers:

Database Level: Create only one DB user and restrict privileges.
Security Groups: Allow inbound access only from a single IP or EC2 instance.
IAM Authentication: Enable IAM-based authentication for a single IAM role/user.
Connection Limits: Set max_user_connections = 1 in the DB parameter group.

Q90. In a multi-account AWS environment, how do users in one account access resources in another account?

Answer:

This is achieved using IAM Cross-Account Role Access.

Create an IAM role in the resource-owning account.
Add a trust policy allowing the other AWS account to assume the role.
Attach required permissions to the role.
Users in the other account use sts:AssumeRole to access resources.

This is secure and avoids sharing long-term credentials.

Q91. While creating an EC2 instance, you get an “IP address exceeded” error. How do you troubleshoot?

Answer:

This error occurs when the subnet has no available IP addresses.

Troubleshooting Steps:

Check the subnet CIDR and available IPs.
Remember AWS reserves 5 IP addresses per subnet.
Identify unused or stopped instances consuming IPs.
Delete unused ENIs (Elastic Network Interfaces).

Fix Options:

Create a new subnet with a larger CIDR block.
Use a different subnet with free IP addresses.
Redesign VPC IP addressing if hitting limits frequently.