Cloud Security & Architecture
What is the AWS Well-Architected Framework?
It's a set of best practices across 6 pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. I apply it to secure and optimize AWS workloads.
How do you enforce the principle of least privilege in AWS IAM?
By using fine-grained IAM policies, role-based access control (RBAC), and service-specific conditions like resource-level permissions, and access analyzer.
What is Zero Trust Architecture? How have you implemented it?
It assumes no implicit trust and requires verification for every access. I use short-lived credentials, identity federation, and inspect access at every layer.
What’s your approach to secure cross-account access in AWS?
I use IAM roles with trust policies, STS assume-role mechanisms, and SCPs to restrict usage.
How do you secure serverless applications?
Use VPCs, minimum IAM privileges for Lambda, enable encryption, API Gateway throttling, WAF, and monitoring via CloudTrail.
How do you manage secrets securely in AWS?
AWS Secrets Manager or Parameter Store (with encryption), rotation policies, and no hardcoded secrets in code or environment.
What are Service Control Policies (SCPs)?
Policies at the AWS Organization level that restrict what member accounts can do, used for guardrails.
How do you secure data in transit and at rest?
Use TLS 1.2+ for transit; KMS, SSE-S3, and customer-managed CMKs for rest.
Explain VPC security components.
NACLs, Security Groups, route tables, VPC Flow Logs, VPC endpoints, Transit Gateway, and centralized firewall policies.
How have you used GuardDuty and AWS Config for security monitoring?
GuardDuty for threat detection (like credential compromise); AWS Config for continuous compliance with custom rules.
Identity & Governance
What is your experience with AWS Organizations?
Created OU structures, applied SCPs, and enforced tagging/compliance policies across accounts.
How do you implement RBAC in AWS IAM?
Group users by roles, assign policies with limited permissions, and audit access logs.
What tools do you use to manage user lifecycle?
Terraform, SCIM integrations, and automated onboarding via Python for tools like Jira, Jenkins.
How do you integrate AWS IAM with enterprise identity providers?
Using IAM Identity Center with SAML or SCIM to federate identity with Azure AD or Ping Identity.
Explain session policies and STS.
Session policies provide temporary permission boundaries; STS issues short-lived tokens for cross-account or federated access.
DevSecOps, IaC & Automation
What tools have you used for IaC?
Terraform (multi-account modules), CDK (TypeScript/Python), CloudFormation (StackSets).
What security best practices do you follow for Terraform?
Policy checks with tfsec, Sentinel, static scans, Git pre-commit hooks, state encryption with S3/KMS.
Explain drift detection.
Identify configuration differences between declared and actual infrastructure. Use Terraform plan, AWS Config.
How do you secure CI/CD pipelines?
Integrate SAST/SCA tools like Checkmarx, JFrog, signed commits, IAM roles for GitHub Actions, and artifact scanning.
What’s your experience with Python automation?
Automated onboarding, compliance checks, incident response scripts, and resource provisioning.
How do you secure Lambda functions?
Least-privileged execution roles, VPC access, KMS encryption, secure runtime environments, logging.
What is CDK and when do you prefer it?
CDK is a developer-friendly IaC tool using familiar languages. Preferable for reusable infrastructure with logic-heavy deployments.
Explain how you handle version control for IaC.
Git-based workflows, environment branches (dev/stage/prod), peer reviews, automated testing.
How do you build reusable IaC modules?
Parameterized Terraform modules, CDK Constructs, use of remote state, and documentation.
How do you secure your CI/CD secrets?
Store in AWS Secrets Manager or GitHub Actions secrets with RBAC-controlled access.
Streaming & Data Security
How do you secure streaming pipelines in Redpanda/Kafka?
TLS encryption, SASL authentication, Protobuf schemas, role-based topic access.
What is your experience with gRPC in data streaming?
Designed secure APIs with mTLS, protobuf contracts, and throttling policies.
How do you ensure message integrity in Kafka/Redpanda?
Schema validation (Protobuf), partition key controls, and checksum verification.
Explain data lineage and how you enforce it.
Use metadata tagging, Apache Atlas, Trino query logs, and logging pipeline stages with audit trails.
How do you secure analytics platforms like Snowflake or Athena?
Use of role-based access, masking policies, SSO integration, KMS encryption for external tables.
Observability, Logging & Incident Response
How do you implement centralized logging in AWS?
Use CloudWatch Logs, Kinesis Firehose to Splunk/S3, and build dashboards using Grafana or ELK.
What tools do you use for SIEM integration?
Splunk, GuardDuty, AWS Security Hub, Detective, and AWS Config integration.
How do you alert on anomalous activity?
Use CloudWatch alarms, anomaly detection, Splunk correlation rules, and GuardDuty findings.
How do you monitor infrastructure health?
Prometheus for metrics, Grafana dashboards, synthetic checks, CloudWatch Insights.
How do you implement incident response automation?
Trigger Lambda from GuardDuty/CloudWatch, create ServiceNow tickets, quarantine resources.
Governance, Risk & Compliance
How do you maintain continuous compliance?
AWS Config, custom rules, periodic scans, auto-remediation via Lambda or Systems Manager.
How do you align controls with NIST or ISO frameworks?
Map policies to controls, use control-mapping tools, build dashboards showing compliance coverage.
Explain your experience with the Three Lines of Defense (LOD).
Collaborated with LOD teams to assess risks, review controls, and present security architecture decisions.
What is your strategy for secure tagging?
Enforce tag policies via SCPs and Config, automate remediation of untagged resources.
How do you ensure audit readiness in AWS?
Collect logs centrally, maintain access records, evidence gathering through Config and S3 snapshots.
Leadership, Communication & Stakeholder Engagement
How do you influence engineering teams to adopt security practices?
Conduct training, explain risks in business terms, automate secure-by-default templates.
How do you communicate technical issues to non-technical stakeholders?
Use analogies, risk-impact visuals, dashboards, and tailored executive summaries.
Have you led incident response calls?
Yes, coordinated across teams, shared timelines, root cause, mitigation, and recovery.
What’s your approach to Architecture Review Boards (ARB)?
Present risks, alternatives, ensure alignment to standards, get buy-in from security/compliance.
Describe a challenge you solved in a cross-functional team.
Solved identity duplication by aligning IAM with HRMS and SSO, improving onboarding speed and compliance.
Advanced & Scenario-Based
You detect an IAM user with excessive permissions. What’s your process?
Investigate access logs, generate IAM Access Analyzer report, suggest role segmentation, apply least privilege.
You’re asked to design a multi-account AWS architecture. What are the key considerations?
OU hierarchy, SCP guardrails, landing zones, shared services VPC, centralized logging, identity federation.
What would you do if Snowflake access logs show unexpected high-volume queries?
Validate user/session, disable if needed, review access policy, alert SOC, investigate source.
An S3 bucket is found public. How do you react?
Disable public access, check bucket policy and ACL, use Macie/Config to monitor for recurrence.
How do you secure inter-service communication within Kubernetes?
Use mTLS (with service mesh like Istio), NetworkPolicies, Secrets for credentials, RBAC.
No comments:
Post a Comment