Quiz: AWS Troubleshooting¶
10 questions
L1 (6 questions)¶
1. An EC2 instance can't reach the internet. What do you check?
Show answer
1. Public IP or Elastic IP assigned?2. Route table has 0.0.0.0/0 pointing to an Internet Gateway.
3. Security group allows outbound traffic.
4. NACL allows outbound AND return inbound traffic (NACLs are stateless).
5. Instance is in a public subnet. For private subnets, check NAT gateway.
2. What is the difference between Security Groups and NACLs?
Show answer
Security Groups: stateful (return traffic auto-allowed), instance-level, allow rules only, evaluated as a group. NACLs: stateless (must allow both directions), subnet-level, allow AND deny rules, evaluated in order. Most issues come from NACLs blocking return traffic.3. An S3 PutObject call fails with Access Denied. The IAM policy allows s3:PutObject. What else could block it?
Show answer
1. Bucket policy with explicit deny.2. Bucket has Block Public Access enabled and the request looks public.
3. Object-level ACL conflicts.
4. AWS Organizations SCP.
5. VPC endpoint policy restricting the bucket.
6. Wrong account — bucket is in a different account and cross-account access isn't configured.
4. ALB returns 504 Gateway Timeout. What do you investigate?
Show answer
1. Backend targets are healthy? Check target group health.2. Backend is actually responding within the ALB idle timeout (default 60s).
3. Security group allows traffic from ALB to target on the correct port.
4. Application is listening on the port the target group expects.
5. Backend is overloaded and not responding in time.
5. How do you debug DNS resolution issues in AWS?
Show answer
1. Check if the VPC has DNS resolution enabled (enableDnsSupport).2. Check if DNS hostnames are enabled (enableDnsHostnames).
3. Verify Route 53 private hosted zone is associated with the VPC.
4. Check DHCP options set for custom DNS.
5. From EC2: dig @169.254.169.253 hostname to test VPC resolver directly.
6. What is the difference between EBS and instance store?
Show answer
EBS: persistent network-attached storage, survives stop/start, supports snapshots. Instance store: ephemeral local NVMe/SSD, lost on stop/terminate/hardware failure, highest IOPS. Use EBS for data that must persist. Use instance store for caches, temp files, or when you replicate at the application layer.L2 (4 questions)¶
1. IAM policy simulator says Allow but the API call returns Access Denied. What is happening?
Show answer
Policy simulator does not evaluate:1. Service Control Policies (SCPs).
2. VPC endpoint policies.
3. S3 bucket policies with conditions.
4. Permission boundaries.
5. Session policies.
6. Resource-based policy conditions (aws:SourceIp, aws:SourceVpc). Check CloudTrail for the exact deny reason.
2. An EKS pod can't reach an RDS instance in the same VPC. What do you check?
Show answer
1. RDS security group allows inbound from the pod's security group or CIDR.2. Pod is in a subnet that can route to the RDS subnet.
3. DNS resolution works (RDS endpoint resolves).
4. NACLs between subnets.
5. If using IAM auth, the pod's service account/IRSA role has rds-db:connect permission.
3. EC2 instance fails to start with InsufficientInstanceCapacity. What do you do?
Show answer
1. Try a different Availability Zone.2. Try a different instance type in the same family.
3. Use a capacity reservation if the instance type is critical.
4. Wait and retry — capacity is dynamic.
5. For spot instances, diversify instance types and AZs.
6. Consider On-Demand Capacity Reservations for consistent availability.
4. CloudWatch shows high CPU on an RDS instance but the app team says query volume hasn't changed. What do you check?
Show answer
1. Slow query log — a missing index or bad query plan can spike CPU.2. Check for lock contention (deadlocks cause retries).
3. Maintenance window running (vacuum, analyze, backups).
4. Parameter group change causing recomputation.
5. Replication lag causing replay pressure on a read replica.
6. Check Performance Insights for top SQL.