InterviewStack.io LogoInterviewStack.io

Distributed Systems Security Questions

Security considerations and patterns for distributed systems and multi service environments. Topics include service to service authentication and authorization, key management and secret rotation at scale, implications of eventual consistency for access control decisions, securing inter service communication, distributed logging and auditing, handling security during partial failures and partitioning, Byzantine fault tolerant scenarios and consensus impacts on security, tradeoffs between availability confidentiality and integrity across regions, and designing resilient defenses for systems spanning multiple data centers or organizational boundaries.

MediumTechnical
32 practiced
Implement a thread-safe sliding-window rate limiter in Go to protect login endpoints from brute-force attacks. The limiter should expose:
go
type Limiter struct { /* ... */ }
func NewLimiter(max int, window time.Duration) *Limiter
func (l *Limiter) Allow(key string) bool
Requirements: per-key limits, reasonable memory usage, concurrency-safety for many goroutines. Focus on algorithm (bucketized counters or sliding logs) and correctness under concurrent access.
HardSystem Design
44 practiced
Design a distributed policy decision point (PDP) for authorization that must serve 1,000 decisions/sec with 50ms latency SLA across three regions, while preventing privilege escalation during partitions. Describe how to store and replicate policies, caching strategies at local PDPs, decision versioning, how to roll back a bad policy quickly, and operational monitoring and audit logging requirements for compliance.
MediumTechnical
38 practiced
Stateless JWTs are widely used in your platform. You need a revocation mechanism to immediately invalidate compromised tokens. Design a scalable revocation system balancing correctness and performance. Consider options: short-lived tokens + refresh tokens, blacklists with caching, bloom filters, token versioning on user objects, push invalidations, and explain how SREs will operate, monitor, and scale the chosen solution.
MediumTechnical
39 practiced
Design an anti-replay mechanism for asynchronous message processing (e.g., Kafka consumers) where retries and duplicates can cause repeated processing. Requirements: idempotent processing, bounded deduplication window, modest coordination cost, and resilience to consumer restarts. Describe the deduplication data structure, sharding strategy, and how to garbage collect old dedup state.
EasyTechnical
35 practiced
Define least-privilege for a microservices platform and provide concrete steps an SRE team can take to implement it across compute, network, and cloud IAM: e.g., minimal service account scopes, network segmentation, container capabilities, and RBAC for control-plane APIs. Describe automation to detect and remediate privilege drift.

Unlock Full Question Bank

Get access to hundreds of Distributed Systems Security interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.