InterviewStack.io LogoInterviewStack.io

Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardSystem Design
66 practiced
Design compliance and security controls for a SaaS application that stores protected health information (PHI) under HIPAA. Address encryption, access controls, audit logging, breach notification workflows, business associate agreements (BAAs), region selection and data residency, and automation for evidence collection during audits.
MediumTechnical
74 practiced
Design a workflow for rotating database credentials automatically using HashiCorp Vault dynamic secrets for applications deployed via CI/CD and Kubernetes. Describe the auth method (e.g., Kubernetes auth), lease management, secret caching, renewal, key steps for rollout without downtime, and how to detect and recover from rotation failures.
HardTechnical
70 practiced
Create a comprehensive policy and enforcement model for third-party dependencies that includes SBOM generation, artifact signing, vulnerability thresholds, whitelisting/blacklisting procedures, vendor risk assessment criteria, and automated enforcement points in CI/CD and runtime. Discuss escalation and exception handling.
EasyTechnical
54 practiced
Explain the principle of least privilege and how it applies to cloud infrastructure and CI/CD pipelines. Provide concrete examples of implementing least privilege in IAM roles, service accounts, Kubernetes service accounts, and object store policies. Describe how you would audit and measure privilege creep over time and detect over-privileged identities.
HardSystem Design
111 practiced
Architect an end-to-end incident detection and response pipeline that integrates endpoint detection (EDR), cloud telemetry, a SIEM for correlation, and a SOAR for automated playbooks. Explain data normalization, enrichment (threat intelligence), playbook triggers, human-in-the-loop steps, and how to measure and reduce mean time to detect and respond.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.