Deep dive
Expanding on the short answer — what usually matters in practice:
- Context (tags): iam, security, least-privilege
- Lifecycle: what happens at runtime (render/build, request/response, background jobs).
- Caching: where cache lives, cache keys, how to invalidate without chaos.
- Security: authn/authz, secrets, attack surface (SSRF/CSRF).
- Explain the "why", not just the "what" (intuition + consequences).
- Trade-offs: what you gain/lose (time, memory, complexity, risk).
- Edge cases: empty inputs, large inputs, invalid inputs, concurrency.
Examples
Here’s an additional example (building on the short answer):
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::my-bucket/*"]
}
Common pitfalls
- Too generic: no concrete trade-offs or examples.
- Mixing average-case and worst-case (e.g., complexity).
- Ignoring constraints: memory, concurrency, network/disk costs.
Interview follow-ups
- When would you choose an alternative and why?
- What production issues show up and how do you diagnose them?
- How would you test edge cases?