← Back to Blog
AWS Interview Questions & Answers for Cloud Infrastructure Engineer (Mid-level)
AWS12 questions·Jul 1, 2026

AWS Interview Questions & Answers for Cloud Infrastructure Engineer (Mid-level)

This guide collects 12 real-world AWS interview questions with clear, interviewer-ready model answers, tailored for Cloud Infrastructure Engineer candidates, at the Mid-level level. Use it to revise quickly, spot gaps, and rehearse strong answers before your next interview.

1. Explain the difference between AWS Security Groups and Network ACLs, and when you would use each in an industrial IoT deployment.

Security Groups are stateful firewalls at the instance level that allow inbound rules to automatically permit return traffic, while NACLs are stateless subnet-level filters requiring explicit rules for both directions; use Security Groups for instance-level protection in IoT gateways and NACLs for subnet-wide segmentation in critical manufacturing networks.

2. Walk us through how you would design a multi-AZ deployment for an industrial IoT edge gateway on AWS that needs to handle 10,000 sensor connections with minimal latency.

I would use an Auto Scaling Group spanning multiple AZs with Network Load Balancers for ultra-low latency, deploy gateways on EC2 or ECS with persistent state stored in ElastiCache Redis for session data, and use AWS Wavelength or Local Zones for ultra-low latency in edge locations near manufacturing plants.

3. A customer's utility SCADA system is experiencing intermittent DynamoDB throttling during peak meter reading ingestion. How would you diagnose and resolve this?

I would check CloudWatch metrics for ProvisionedThroughputExceeded errors and examine the access pattern; then either implement on-demand billing if unpredictable, provision higher capacity with auto-scaling, or redesign the partition key to distribute writes evenly across partitions instead of hot partitions.

4. Describe how you would implement encryption at rest and in transit for sensitive manufacturing IoT data flowing through AWS.

For transit, I would use TLS 1.2+ with AWS Certificate Manager for IoT gateways and enforce HTTPS/MQTTS protocols; for rest, I would enable KMS encryption on S3 buckets storing historical data, RDS with encrypted snapshots, and encrypted EBS volumes on EC2 instances processing sensor data.

5. Explain how AWS IoT Core differs from generic MQTT brokers, and why you would choose it for a roadway traffic management system.

AWS IoT Core provides device authentication via X.509 certificates, built-in message filtering and routing rules, direct integration with Lambda and DynamoDB, and automatic scaling for millions of devices; it's superior for roadway systems because it handles device identity, state management via Device Shadow, and reduces custom MQTT broker maintenance.

6. A manufacturing customer wants to process real-time sensor data from 500 machines but only store historical data for 90 days. Which AWS services would you combine, and why?

I would use Kinesis Data Streams for real-time ingestion and processing, Kinesis Data Firehose to batch write to S3 with Parquet format for cost efficiency, apply S3 Lifecycle Policies to transition older data to Glacier after 90 days, and optionally use Timestream for time-series queries if analytics are performance-critical.

7. How would you use AWS Systems Manager or Parameter Store to manage configuration across 200 industrial IoT gateways deployed in the field?

I would store gateway configurations (firmware versions, polling intervals, encryption keys) in Parameter Store with hierarchical naming (e.g., /utilities/gateway/firmware-version), use IAM roles for secure access, and deploy an agent that polls for configuration changes; this enables centralized updates without field visits and provides version control and audit trails.

8. Explain how you would set up VPC endpoints to keep IoT traffic from utilities and manufacturing plants private while accessing AWS services.

I would create Interface VPC endpoints for S3, DynamoDB, Kinesis, and IoT Core within the customer's VPC, attach IAM policies restricting access to those endpoints only, and enable Private DNS so existing code continues working; this keeps all traffic on the AWS backbone instead of traversing the public internet, improving security and reducing data transfer costs.

9. A roadway IoT system must comply with regional data sovereignty regulations. How would you architect a multi-region deployment on AWS?

I would replicate data to region-specific S3 buckets using S3 Cross-Region Replication with encryption, deploy IoT gateways in each region using local VPCs, use Route 53 for geographic routing, and implement DynamoDB Global Tables for near-real-time synchronization while respecting data residency boundaries.

10. How would you monitor and alert on the health of 10,000 distributed IoT gateways using CloudWatch and SNS?

I would configure each gateway to send heartbeat metrics to CloudWatch every 5 minutes via PutMetricData, create composite alarms that trigger if heartbeat is missing for >15 minutes, use SNS to notify operations teams via email and SMS, and build a CloudWatch dashboard showing gateway health status aggregated by region and device type.

11. Describe a scenario where you would use AWS Lambda@Edge versus a traditional EC2/ECS deployment for IoT gateway processing.

Use Lambda@Edge only for lightweight, stateless operations like SSL termination or request filtering at CloudFront edge locations; for stateful IoT processing, use ECS/EC2 because gateways need persistent connections, local caching, and sub-100ms latency that requires proximity to the actual sensors, not just CDN edges.

12. Walk us through how you would implement role-based access control (RBAC) for a manufacturing customer with operators, supervisors, and administrators accessing an IoT dashboard on AWS.

I would use IAM roles with fine-grained policies for each role, integrate Cognito for user authentication with role-based claims, configure bucket policies and RDS resource-based policies per role, and implement API Gateway authorization using Cognito tokens so operators see only their plant's data, supervisors see their region, and admins see everything.

Practice these in a real mock interview
Get scored live and see ideal answers with an AI interviewer.
Start a Mock Interview →
← Previous
Azure Interview Questions & Answers for Azure DevOps Engineer (Senior)
Next →
AWS Interview Questions & Answers for Solutions Architect (Lead)

Related interview questions

AWS Interview Questions & Answers for Solutions Architect (Lead)
AWS · 12 Qs
AWS Interview Questions & Answers for Solutions Architect (Lead)
Kubernetes Interview Questions & Answers for Kubernetes Engineer (Mid-level)
K8s · 12 Qs
Kubernetes Interview Questions & Answers for Kubernetes Engineer (Mid-level)
Azure Interview Questions & Answers for Azure DevOps Engineer (Senior)
AZ · 12 Qs
Azure Interview Questions & Answers for Azure DevOps Engineer (Senior)