InterviewStack.io LogoInterviewStack.io

Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardTechnical
66 practiced
A breach started from a compromised developer workstation and resulted in source code exfiltration and exposure of customer test data. Analyze systemic control failures (endpoint protection, credential hygiene, MFA coverage, logging gaps, least-privilege violations) and propose a prioritized 90-day remediation roadmap with concrete milestones that will provide demonstrable SOC2 evidence of improvement.
MediumTechnical
54 practiced
Write pseudo-code (Python or Bash) for a script that rotates a database user password every 24 hours, updates the secret in a central secret store or Kubernetes Secret (or CSI), and triggers a health check on dependent services. Include error handling, rollback steps if health checks fail, and notification (e.g., Slack/email).
HardBehavioral
74 practiced
Describe a time you led cross-functional remediation after an audit identified systemic compliance gaps. Explain how you prioritized items, coordinated engineering, security, legal, and product stakeholders, tracked evidence for re-audit, and which metrics you used to measure success and sustainment of controls.
EasyTechnical
96 practiced
Define authentication and authorization in the context of cloud infrastructure. Explain how they differ, give concrete examples using AWS (IAM roles and policies), Azure AD (RBAC and role assignments), or GCP (service accounts and IAM bindings), and describe common federation protocols (SAML, OIDC, OAuth2) used for single sign-on and cross-account access.
HardTechnical
66 practiced
Design a continuous, automated compliance monitoring system that mapstechnical controls from GDPR, HIPAA, PCI-DSS, and ISO 27001 to policy-as-code checks running across AWS, Azure, and GCP. Include rule mapping, evidence collection, secure evidence storage, auditor access, regional data residency handling, and strategies to reduce false positives and false negatives at scale.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.