Reference · Case AI Interview

Your questions, answered

Every question you asked during the lessons, with the distilled answer. These are your personal weak-spot map — re-read this page the day before the interview, because your own past questions are the best predictor of what will feel shaky under pressure.

From Lesson 0001 (AWS core)

Q1 · "I don't know what DNS and CDN edge are."

DNS is the internet's phone book: it translates names (caseai.com) into the IP addresses computers actually route by; Route 53 is just AWS's phone-book service, same as editing DNS records in the Cloudflare dashboard. A CDN is a fleet of cache servers in hundreds of cities; the edge is whichever sits closest to the user, serving cached content so requests don't cross the planet — the origin is your real server behind it. On Cloudflare the CDN is the platform, which is why you never saw it; CloudFront is the same thing as an explicit product. → Lesson 0002

Q2 · "If we use Lambda as a serverless backend, what's the point of a dedicated backend server?"

Untangle two words: backend = your server-side code; server = the always-on process running it. Lambda IS a backend without a dedicated server (API Gateway + Lambda + DynamoDB is complete — your Buddy Ride backend on Workers + Convex was this pattern). A dedicated container (Fargate) wins for five workload shapes: jobs over 15 minutes, persistent connections/streaming, no cold-start latency, steady-traffic economics, and in-memory state like DB connection pools. Sound bite: "Serverless doesn't delete the server's job — it slices it per event."Lesson 0002 §3

Q3 · "How do we use IAM in the real world?"

One role per service, a JSON policy allow-listing exactly its actions (s3:GetObject on one bucket), ECS injects temporary credentials at runtime, the SDK finds them automatically — no keys in code or env vars, ever. Daily texture: policies edited as code in PRs, AccessDenied fixed by adding the one missing action (never a wildcard), humans through SSO-assumed roles. → Lesson 0002 §4

Between lessons 0002–0003

Q4 · "What are ALB, EC2, ECS — and is IAM for services instead of user roles?"

EC2 = a raw rented virtual machine (the original AWS product; everything else abstracts it). ECS = the container orchestrator: you declare task definitions + services, it schedules/heals/scales. ALB = the front-door load balancer: TLS termination, health checks, traffic spread across copies. The abstraction ladder: EC2 → ECS-on-EC2 → Fargate → Lambda. And IAM is for both humans and workloads — it's not scoped to the VPC. Two planes: VPC = network (which machines can reach which), IAM = identity (who may call which AWS APIs, from anywhere). A container needs both locks: the security-group path AND credentials. → Glossary

From Lesson 0003 (security)

Q5 · "What is TLS, and what does 'on every hop' mean?"

TLS (Transport Layer Security) is the encryption protocol under HTTPS — it protects data in motion between exactly two machines. A hop is one leg of the journey (browser → CloudFront → ALB → container → Aurora = four). TLS covers one leg at a time (the ALB decrypts to route), so every leg must be separately encrypted. And note: HTTPS is just HTTP-over-TLS — the web hops are HTTPS, but the database hop is Postgres-over-TLS, because TLS is protocol-agnostic. → Lesson 0003 §2

Q6 · "Is KMS the thing that cuts some tables per tenant?"

No — you described the bridge model (that instinct was right!), but the mechanism split is: isolation model (silo/pool/bridge) decides where data lives; row-level security decides what a query may return; KMS decides who can ever read the bytes — keys, not tables, working under any layout. They stack: pooled table + RLS + per-tenant key. And silo ≠ separate tables: silo means a dedicated database (or stack) per firm; separate tables in a shared DB is a halfway house nobody recommends — one leaked DB credential still reaches everything. → Lesson 0003 §3

Q7 · "What's the difference between KMS and IAM?"

IAM is the guard (authorization — checks every API call at the door); KMS is the safe (cryptography — the keys that scramble the bytes). They protect against different failures: IAM stops wrong API calls; KMS makes stolen disks/backups worthless noise. They interlock: using a KMS key is itself an API call that IAM authorizes and CloudTrail logs. → Lesson 0003 §2

Q8 · "KMS stores the key — but who takes the key to decrypt?"

Nobody takes the KMS key; it never leaves KMS. Envelope encryption: data is encrypted with a data key; that data key is stored wrapped (encrypted under the KMS key) next to the ciphertext. At read time the AWS service (S3, Aurora's storage engine) calls kms:Decrypt; KMS checks key policy + IAM, unwraps the data key inside its HSMs, returns it transiently; the service decrypts in memory and discards it. Disable the key → every unwrap fails forever, even in backups: deletion by cryptography. → Glossary: envelope encryption

Q9 · "What is SOC 2 and OWASP in the long form?"

SOC = System and Organization Controls (AICPA's audit-report suite; SOC 2 is the security/trust one for service companies — and mind the pronunciation: "SOC two", not "SOP 2"). OWASP = Open Worldwide Application Security Project (renamed from "Open Web…" in 2023), the nonprofit behind the Top 10 risk list. → Security cheat sheet

Keep this page growing Every new question you ask in a session gets added here. Asking is not a weakness signal — your questions built Lesson 0002 and half the glossary.