Interview › AWS

What is an AMI, and how do you build standardised, hardened images?

AWS · Advanced level

Answer

An AMI is a launch template image for EC2. I build hardened AMIs with Image Builder or Packer, applying patches, CIS controls, agents, IMDSv2, vulnerability scans, no embedded secrets, and versioned promotion.

Technical explanation

Never bake secrets into AMIs; use roles and secret stores at runtime.

Operations at scale should prefer managed access, automation, immutable infrastructure, repeatable runbooks, and auditability over manual host-by-host changes.

Troubleshooting should isolate layers: identity, network, host, application, dependency, deployment, and AWS service signals.

Patch, access, AMI, and incident workflows must be tested and measurable so they do not depend on tribal knowledge.

Hands-on example

1. Set up a sandbox EC2 fleet with SSM Agent, IAM instance role, CloudWatch Agent, hardened AMI baseline, and no unnecessary inbound access.

2. Perform the operation through automation: Session Manager, Run Command, Patch Manager, Image Builder, ASG instance refresh, or a runbook.

3. Introduce a realistic failure and use logs, metrics, status checks, and reachability tools to troubleshoot layer by layer.

4. Update the runbook and define the alarm or compliance check that would catch the issue next time.

More AWS interview questions

• What is the AWS shared responsibility model, and where is the line between AWS and the customer?
• Explain the difference between a Region, an Availability Zone, and an Edge Location.
• What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
• Difference between a public and a private subnet, and how does each reach the internet?
• What is the difference between a Security Group and a Network ACL?
• Are Security Groups stateful or stateless? What about NACLs?
• What is an Internet Gateway versus a NAT Gateway, and when do you need each?
• How does a NAT Gateway differ from a NAT instance?

← All AWS questions