Core security principles and operational practices for cloud computing environments. Topics include the shared responsibility model and delineation of provider and customer responsibilities, identity and access management basics and least privilege, secure configuration and common cloud misconfigurations, data protection including encryption at rest and encryption in transit, key and secrets management basics, network security and segmentation, secure API design, audit logging, monitoring and alerting, cloud security posture management and automated misconfiguration detection, incident response and forensic readiness in cloud environments, governance, compliance and data residency considerations, strategies to reduce blast radius and prevent privilege escalation, and common cloud specific threats and mitigations. Candidates should be able to discuss trade offs, how to apply controls across major cloud providers, detection and mitigation strategies, and practical examples of securing cloud workloads.
MediumTechnical
71 practiced
Design authentication and authorization for a public API hosted in the cloud. Cover choices between API keys, OAuth2 (authorization code and client credentials), JWT validation strategies, token revocation, scopes, rate-limiting, TLS termination placement, WAF usage, and protection against replay or credential compromise. Explain pros/cons and an implementation approach for a multi-tenant API.
EasyTechnical
75 practiced
Describe the essential components of an incident response playbook for cloud security incidents (detection, triage, containment, eradication, recovery, lessons learned). Include specific cloud actions (for example: snapshotting EBS volumes, exporting CloudTrail/Activity logs, isolating VMs or containers, revoking keys), runbook triggers and thresholds, roles and responsibilities, and how to keep the playbook actionable under stress.
EasyTechnical
54 practiced
Explain the cloud shared responsibility model and provide concrete examples of which security controls are the cloud provider is responsible for and which are the customer's responsibility in AWS, Azure, and GCP. Cover compute (VMs & serverless), storage (object/block), networking, and managed services. For each example mention potential compliance implications and who should own monitoring, patching, and incident response.
EasyTechnical
71 practiced
Explain different multi-factor authentication (MFA) mechanisms available for cloud accounts (TOTP, hardware keys, SMS, push notifications, FIDO/WebAuthn). For AWS, Azure, and GCP describe how to enable MFA for console access and programmatic access, limitations of each method, and a secure approach to handling emergency/break-glass accounts.
MediumSystem Design
53 practiced
Design a secure, fault-tolerant network architecture for a three-tier web application deployed in AWS across two Availability Zones serving 10k RPS with a managed database backend. Provide a diagram-level description including VPC/subnets, ALB placement, private app subnets, DB in private subnet, NAT gateways, bastion or SSM access, security groups, VPC Flow Logs, and DDoS protections. Explain how you'd structure accounts (prod/non-prod/security) and minimize blast radius.
Unlock Full Question Bank
Get access to hundreds of Cloud Security Fundamentals interview questions and detailed answers.
