Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardTechnical

65 practiced

Outline a threat hunting program for a cloud native environment. Describe team roles and structure, essential tooling and data pipelines, hypothesis frameworks, playbook development, onboarding of telemetry, and how to measure program success and operationalize findings into detection rules and response playbooks.

EasyTechnical

90 practiced

Explain how service level objectives and error budgets interact with security and compliance work. Provide examples where strict security controls could consume error budget or slow releases and describe how SREs should make trade off decisions between safety and velocity.

EasyTechnical

72 practiced

Explain the difference between authentication and authorization in the context of infrastructure systems. Provide concrete examples for three layers: human operator access, service-to-service communication, and CI/CD pipeline credentials. For each example name typical technologies or protocols you would use and describe common operational pitfalls SREs should avoid.

HardTechnical

53 practiced

Design an end to end plan to defend the build and release pipeline against supply chain attacks. Include reproducible builds, SBOM generation, artifact signing and transparency, build farm isolation, credential hygiene, and how to detect and respond to a compromised dependency or malicious commit.

HardSystem Design

60 practiced

Design a global key management strategy that satisfies regional data residency and compliance requirements while enabling secure cross region failover. Explain where keys and ciphertext live, how encryption and decryption flows work, how rotations are handled, and how to produce audit evidence showing keys were used appropriately.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.