Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

EasyTechnical

56 practiced

Describe a practical approach to integrate vulnerability scanning for container images and VM images into CI/CD and runtime platforms. Include where scans should run (build vs registry vs runtime), cadence, gating rules for CVSS thresholds, triage workflows, and approaches to minimize developer friction while ensuring critical issues are remediated promptly.

HardSystem Design

70 practiced

Design a global, multi-region audit logging and retention solution that satisfies GDPR data-location constraints and PCI-DSS requirements for tamper-evident retention, cross-border transfer restrictions, and controlled auditor access. Provide architecture diagrams in prose, data flows, encryption strategy, and automation for access and evidence collection.

HardTechnical

69 practiced

Propose an automated testing framework that validates security controls and runs chaos-style experiments (for example rotating keys, revoking tokens, simulating network segmentation failure) against staging and production-like environments. The framework should report regressions, trigger alerting, and optionally perform automated rollbacks when control validation fails.

EasyTechnical

56 practiced

Explain the difference between encryption at rest and encryption in transit. For each, list typical implementations in AWS/GCP/Azure (e.g., SSE-KMS, CMEK, TLS), how keys are managed (KMS vs HSM), and the operational tradeoffs such as performance, rotation complexity, and auditability.

EasyTechnical

63 practiced

What core audit logs should a DevOps team collect for infrastructure security (cloud API/control plane logs, OS/system logs, container runtime events, auth events)? How would you decide retention periods and storage locations to satisfy both operational investigations and basic compliance requirements while managing cost?

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.