Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

EasyTechnical

74 practiced

Explain the concept of 'policy as code' and provide a concise example of how you would enforce a rule that disallows public S3 buckets in a CI/CD pipeline. Mention tools you might use (Open Policy Agent/OPA, HashiCorp Sentinel, cloud-provider policy engines) and how you would avoid blocking developer workflows while enforcing the rule.

HardSystem Design

111 practiced

Design a zero-trust, least-privilege architecture for a global microservices platform deployed across multiple clouds. Include how service identities are issued (short-lived certs or JWTs), automated certificate/key rotation, service mesh integration for enforcement, secrets management strategy, cross-region trust bootstrapping, telemetry for detection, and disaster recovery if trust anchors are compromised.

HardSystem Design

71 practiced

Design a global Key Management Service (KMS) architecture that supports envelope encryption for data services across regions and clouds. Address HSM-backed root keys, key rotation policies, cross-region key replication or region-specific keys for data residency, strict IAM for KMS usage, audit logging of all key operations, and disaster recovery strategy if a KMS region is unavailable or compromised.

EasyTechnical

59 practiced

Write an AWS IAM policy in JSON that grants an IAM role only the permissions required to list the bucket 'arn:aws:s3:::corp-logs' and to get objects under the prefix 'prod/*' (s3:ListBucket and s3:GetObject). The policy must not allow any other S3 actions in the account. Provide the policy JSON and explain the key elements you used.

EasyTechnical

60 practiced

Explain the differences between automated vulnerability scanning and manual penetration testing. Discuss typical cadence, common tools (e.g., Nessus, Qualys, Burp Suite), how to prioritize findings, and how results should feed into organizational patching and remediation workflows.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.