Core security principles and operational practices for cloud computing environments. Topics include the shared responsibility model and delineation of provider and customer responsibilities, identity and access management basics and least privilege, secure configuration and common cloud misconfigurations, data protection including encryption at rest and encryption in transit, key and secrets management basics, network security and segmentation, secure API design, audit logging, monitoring and alerting, cloud security posture management and automated misconfiguration detection, incident response and forensic readiness in cloud environments, governance, compliance and data residency considerations, strategies to reduce blast radius and prevent privilege escalation, and common cloud specific threats and mitigations. Candidates should be able to discuss trade offs, how to apply controls across major cloud providers, detection and mitigation strategies, and practical examples of securing cloud workloads.
EasyTechnical
60 practiced
Define encryption at rest and encryption in transit. Give concrete examples of how each is implemented on major clouds (for example: SSE-S3, EBS encryption, Cloud SQL encryption, TLS termination at load balancers, VPNs) and describe practical methods to validate encryption is enforced and how to manage key lifecycle, rotation, and access controls.
HardTechnical
74 practiced
An attacker exploited a vulnerable container image in your Kubernetes cluster and deleted critical pods. Outline an end-to-end forensic investigation plan to determine the attack vector, scope, and impact. Include steps to capture memory and disk artifacts from ephemeral containers, collect control-plane logs and events, preserve Kubernetes metadata (pods, events, resource versions), capture cloud provider logs (CloudTrail/Activity), and address chain-of-custody for evidence.
MediumSystem Design
110 practiced
Design a logging and alerting architecture for a multi-account cloud environment that centralizes logs, provides parsing and indexing for security analysis, supports retention policies for compliance, enforces RBAC for access to logs, and provides realtime alerting. Include how to replicate logs for forensic readiness, ensure log immutability, and control costs for high-volume sources.
MediumSystem Design
53 practiced
Design a secure, fault-tolerant network architecture for a three-tier web application deployed in AWS across two Availability Zones serving 10k RPS with a managed database backend. Provide a diagram-level description including VPC/subnets, ALB placement, private app subnets, DB in private subnet, NAT gateways, bastion or SSM access, security groups, VPC Flow Logs, and DDoS protections. Explain how you'd structure accounts (prod/non-prod/security) and minimize blast radius.
HardSystem Design
58 practiced
Prepare a ransomware prevention and recovery design for cloud workloads and data. Cover immutable backups (WORM/Object Lock), backup account separation, cross-region replication strategy, backup encryption and KMS key separation, least-privilege for backup operators, automated testing of restores, and cost controls. Also describe detection signals that might indicate ransomware activity and the immediate playbook actions you'd take.
Unlock Full Question Bank
Get access to hundreds of Cloud Security Fundamentals interview questions and detailed answers.
