InterviewStack.io LogoInterviewStack.io

Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

MediumTechnical
56 practiced
Write a Python script that rotates an ephemeral credential by calling a secrets API, updates a Kubernetes secret, and triggers a rolling restart of a deployment. Focus on idempotency, error handling, retries with backoff, and minimizing downtime. Assume the standard Kubernetes client library is available.
EasyTechnical
73 practiced
Explain the difference between authentication and authorization in the context of infrastructure systems. Provide concrete examples for three layers: human operator access, service-to-service communication, and CI/CD pipeline credentials. For each example name typical technologies or protocols you would use and describe common operational pitfalls SREs should avoid.
MediumTechnical
62 practiced
Write an OPA Rego policy that rejects Terraform plan changes which create or update any aws s3 bucket without server side encryption enabled. The policy should examine resource attributes in the Terraform plan input and return a clear deny message indicating which resource lacks server side encryption.
EasyTechnical
115 practiced
Describe the core principles of zero trust architecture and how SREs can operationalize them for cloud native platforms. Cover identity verification, least privilege, microsegmentation, device posture, continuous validation, and how to move from legacy implicit trust models.
HardTechnical
65 practiced
You are designing a new customer data platform that must meet HIPAA and PCI DSS requirements in certain regions. Describe the controls you would implement, architecture choices to isolate regulated data, logging and access control mechanisms, encryption and key management, and how automated evidence gathering would work for audits.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.