Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardSystem Design

69 practiced

Design an automated remediation pipeline that takes a detected vulnerability through triage, patch deployment, automated health checks, verification, and rollback if necessary. Describe orchestration components, approval gates, integrations with ticketing and CMDB, and how to generate an audit trail for compliance purposes.

MediumTechnical

71 practiced

Describe how you'd use Open Policy Agent (OPA) as a policy-as-code gate in a CI pipeline (for example GitHub Actions or Jenkins) to block builds if container images exceed a CVE severity threshold or if SBOM metadata is missing. Provide a high-level Rego policy example and explain integration points and evaluation timing.

EasyTechnical

63 practiced

What core audit logs should a DevOps team collect for infrastructure security (cloud API/control plane logs, OS/system logs, container runtime events, auth events)? How would you decide retention periods and storage locations to satisfy both operational investigations and basic compliance requirements while managing cost?

HardSystem Design

66 practiced

Design compliance and security controls for a SaaS application that stores protected health information (PHI) under HIPAA. Address encryption, access controls, audit logging, breach notification workflows, business associate agreements (BAAs), region selection and data residency, and automation for evidence collection during audits.

HardTechnical

75 practiced

Design an automated system that analyzes IAM role usage across cloud accounts, recommends least-privilege policy changes, and can optionally apply those changes with automated rollback if services break. Describe data sources, heuristics to avoid over-restriction, safe rollout (canaries), and validation checks before committing policy changes.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.