Cloud Security Engineer interview questions across AWS, Azure, and GCP — IAM, KMS, network, container, and detection.
Walk me through AWS IAM policy evaluation logic.
Explicit deny anywhere = deny. Otherwise: SCPs → resource policies → identity policies → permission boundaries → session policies; all must allow. Cross-account requires both sides. KMS requires both KMS key policy and IAM policy.
Difference between SCP and IAM policy?
SCPs are guardrails attached at Org / OU / Account level — they limit what IAM can grant. SCPs cannot grant; they only restrict. IAM policies grant within SCP-defined max.
Design a multi-account AWS landing zone for regulated workloads.
AWS Organizations + Control Tower. Dedicated security tooling account (GuardDuty/Security Hub delegated admin), log archive account (org CloudTrail to S3 with Object Lock + KMS), workload OUs split by data sensitivity. TGW for connectivity, centralised egress via Network Firewall. KMS keys per workload with key policies + grants.
Explain Azure Conditional Access policy evaluation order.
All assigned policies evaluated together; grant controls require all-or-any selection; session controls layered on top. Risk-based signals (Entra ID Protection) feed in. Always test with What If.
How does GCP VPC-SC work and what does it protect against?
Service perimeter around managed services (GCS, BQ, etc.) preventing data exfiltration across project / VPC boundaries. Even with valid IAM, requests crossing the perimeter are denied unless via Ingress/Egress rules.
KMS key rotation — explain options and trade-offs.
AWS KMS auto-rotation (annual) keeps old key versions for decrypt; you can also schedule manual rotation or BYOK. Trade-off: auto-rotation simpler; manual rotation gives finer control + audit trail. Re-encryption of past data is application responsibility.
How would you investigate a suspected compromised AWS access key?
CloudTrail Lake / Athena query for the key's last 30 days. Identify anomalous source IPs, geographic distribution, API call patterns. Disable key immediately, rotate, scope blast radius via IAM access analyzer + last-accessed data. Engage IR if data accessed.
Explain runtime security for Kubernetes.
Pod Security Standards (replaced PSP) at namespace level; Admission control (OPA/Gatekeeper, Kyverno) for policy-as-code; Runtime detection (Falco, Tetragon) for syscall-level anomalies; Network policies (Calico, Cilium) for east-west; image scanning + signing (Cosign + Sigstore).
What is workload identity / IRSA and why use it?
Maps cloud IAM roles to in-cluster service accounts via OIDC federation. Avoids long-lived static credentials in pods. AWS: IRSA. GCP: Workload Identity. Azure: Workload Identity / Pod Identity.
Detection: a Lambda function suddenly creates IAM users. What does the chain of evidence look like?
CloudTrail event (CreateUser API, principal=Lambda exec role, sourceIP=AWS internal). Confirm against expected behaviour (deploy automation, etc.). If anomalous: revoke role permissions, snapshot Lambda code, hunt for newly-created users across accounts via Athena query.
Compare AWS Security Hub, Azure Defender for Cloud, and GCP SCC.
All three aggregate findings + posture management. Security Hub = AWS-native, integrates GuardDuty + Inspector + Macie + 3rd-party. Defender for Cloud = strongest cross-cloud and on-prem coverage. SCC Premium = GCP-deep with Event Threat Detection.
How do you secure CI/CD pipelines?
OIDC federation to cloud (no long-lived secrets), least-privilege deploy roles, signed artefacts (Cosign), SBOM generation, branch protection + required reviewers, secret scanning, runner isolation.
Lead with your strongest cloud; show one-cloud-deep + one-cloud-conversational. Multi-cloud loops actively probe for AWS+Azure parity.
Yes — at minimum a Terraform / Python / Bash live exercise. Bonus: Go fluency for senior platform-security roles.
Critical for scale-ups and product companies; less so for traditional enterprise.
Whichever your target firm runs. AWS dominates fintech/scale-ups; Azure dominates UK enterprise + public sector; GCP is third but high-paid where present.
Run AI-graded mock interviews with panel personas and structured feedback.