Design guardrails so the rest of the company can ship safely.
Cloud Security Engineers own preventative controls across AWS, Azure, and GCP — IAM, network segmentation, KMS, and detection-as-code. The role is part architecture, part platform engineering, and increasingly part developer enablement.
Tools in scope
FAANG
Expect an IAM design round — least-privilege a cross-account workflow on a whiteboard.
Multi-cloud enterprise
Breadth matters; tradeoffs between AWS SCP / Azure Policy / GCP Org Policy come up.
// Sample question
How would you design IAM so a developer can read S3 logs but never assume a production role?
Use permission boundaries on the developer's role, an explicit Deny on `sts:AssumeRole` for the prod role ARN, and SCPs at the OU level so even root in the dev account can't reach prod. Add CloudTrail + GuardDuty alerts on any AssumeRole attempts crossing the boundary.
AI-graded, role-specific, feedback on every answer. Free to start.