InterviewStack.io LogoInterviewStack.io

Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardSystem Design
0 practiced
Design a global key management strategy that satisfies regional data residency and compliance requirements while enabling secure cross region failover. Explain where keys and ciphertext live, how encryption and decryption flows work, how rotations are handled, and how to produce audit evidence showing keys were used appropriately.
EasyTechnical
0 practiced
Define encryption at rest and encryption in transit. For a typical web service stack list where you would apply each, including databases, object stores, message queues, and service mesh. Also describe key management responsibilities for SREs and operational concerns such as certificate rotation and forward secrecy.
HardTechnical
0 practiced
Design an end to end plan to defend the build and release pipeline against supply chain attacks. Include reproducible builds, SBOM generation, artifact signing and transparency, build farm isolation, credential hygiene, and how to detect and respond to a compromised dependency or malicious commit.
EasyTechnical
0 practiced
Explain the difference between detection and prevention controls in infrastructure security. Provide examples of each within the SRE scope such as network rules, host hardening, and telemetry collection, and describe how they complement each other for a mature security posture.
HardSystem Design
0 practiced
Design a SIEM and SOAR based detection and response platform aimed at detecting advanced persistent threats across cloud services and endpoints. Detail required telemetry sources, correlation strategies, detection models, playbook design, safe automated containment actions, and metrics for program health such as mean time to detect and mean time to respond.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.