topic

Cloud Security Interview Questions Interview Questions

Cloud Security Engineer interview questions across AWS, Azure, and GCP — IAM, KMS, network, container, and detection.

Cloud security interview loops blend deep service knowledge with architecture thinking. Expect a mix of 'how does X actually work?' (e.g. policy evaluation logic), 'design a secure landing zone' scenarios, and live troubleshooting (an IAM puzzle, a flow log investigation). ## Interview questions and strong-answer skeletons Each question below is drawn from recent UK and US interview loops for the role or framework. Use the answer skeletons as scaffolding — adapt to your specific experience.

Questions

  1. 01

    Walk me through AWS IAM policy evaluation logic.

    Show strong-answer outline

    Explicit deny anywhere = deny. Otherwise: SCPs → resource policies → identity policies → permission boundaries → session policies; all must allow. Cross-account requires both sides. KMS requires both KMS key policy and IAM policy.

  2. 02

    Difference between SCP and IAM policy?

    Show strong-answer outline

    SCPs are guardrails attached at Org / OU / Account level — they limit what IAM can grant. SCPs cannot grant; they only restrict. IAM policies grant within SCP-defined max.

  3. 03

    Design a multi-account AWS landing zone for regulated workloads.

    Show strong-answer outline

    AWS Organizations + Control Tower. Dedicated security tooling account (GuardDuty/Security Hub delegated admin), log archive account (org CloudTrail to S3 with Object Lock + KMS), workload OUs split by data sensitivity. TGW for connectivity, centralised egress via Network Firewall. KMS keys per workload with key policies + grants.

  4. 04

    Explain Azure Conditional Access policy evaluation order.

    Show strong-answer outline

    All assigned policies evaluated together; grant controls require all-or-any selection; session controls layered on top. Risk-based signals (Entra ID Protection) feed in. Always test with What If.

  5. 05

    How does GCP VPC-SC work and what does it protect against?

    Show strong-answer outline

    Service perimeter around managed services (GCS, BQ, etc.) preventing data exfiltration across project / VPC boundaries. Even with valid IAM, requests crossing the perimeter are denied unless via Ingress/Egress rules.

  6. 06

    KMS key rotation — explain options and trade-offs.

    Show strong-answer outline

    AWS KMS auto-rotation (annual) keeps old key versions for decrypt; you can also schedule manual rotation or BYOK. Trade-off: auto-rotation simpler; manual rotation gives finer control + audit trail. Re-encryption of past data is application responsibility.

  7. 07

    How would you investigate a suspected compromised AWS access key?

    Show strong-answer outline

    CloudTrail Lake / Athena query for the key's last 30 days. Identify anomalous source IPs, geographic distribution, API call patterns. Disable key immediately, rotate, scope blast radius via IAM access analyzer + last-accessed data. Engage IR if data accessed.

  8. 08

    Explain runtime security for Kubernetes.

    Show strong-answer outline

    Pod Security Standards (replaced PSP) at namespace level; Admission control (OPA/Gatekeeper, Kyverno) for policy-as-code; Runtime detection (Falco, Tetragon) for syscall-level anomalies; Network policies (Calico, Cilium) for east-west; image scanning + signing (Cosign + Sigstore).

  9. 09

    What is workload identity / IRSA and why use it?

    Show strong-answer outline

    Maps cloud IAM roles to in-cluster service accounts via OIDC federation. Avoids long-lived static credentials in pods. AWS: IRSA. GCP: Workload Identity. Azure: Workload Identity / Pod Identity.

  10. 10

    Detection: a Lambda function suddenly creates IAM users. What does the chain of evidence look like?

    Show strong-answer outline

    CloudTrail event (CreateUser API, principal=Lambda exec role, sourceIP=AWS internal). Confirm against expected behaviour (deploy automation, etc.). If anomalous: revoke role permissions, snapshot Lambda code, hunt for newly-created users across accounts via Athena query.

  11. 11

    Compare AWS Security Hub, Azure Defender for Cloud, and GCP SCC.

    Show strong-answer outline

    All three aggregate findings + posture management. Security Hub = AWS-native, integrates GuardDuty + Inspector + Macie + 3rd-party. Defender for Cloud = strongest cross-cloud and on-prem coverage. SCC Premium = GCP-deep with Event Threat Detection.

  12. 12

    How do you secure CI/CD pipelines?

    Show strong-answer outline

    OIDC federation to cloud (no long-lived secrets), least-privilege deploy roles, signed artefacts (Cosign), SBOM generation, branch protection + required reviewers, secret scanning, runner isolation.

Frequently asked questions

Single-cloud or multi-cloud focus for interviews?

Lead with your strongest cloud; show one-cloud-deep + one-cloud-conversational. Multi-cloud loops actively probe for AWS+Azure parity.

Are coding questions common in cloud security interviews?

Yes — at minimum a Terraform / Python / Bash live exercise. Bonus: Go fluency for senior platform-security roles.

How important is Kubernetes for cloud security interviews?

Critical for scale-ups and product companies; less so for traditional enterprise.

Should I prepare for AWS, Azure, or GCP?

Whichever your target firm runs. AWS dominates fintech/scale-ups; Azure dominates UK enterprise + public sector; GCP is third but high-paid where present.

Rehearse Cloud Security Interview Questions questions live

Run AI-graded mock interviews with panel personas and structured feedback.

Start free
// related