01What is the difference between authentication and authorization?
›
Authentication: prove identity (login, MFA, mTLS cert). Authorization: decide allowed actions for that identity (RBAC, ABAC, policies). Mixing them up is a common interview mistake.
02What is OAuth2 vs OpenID Connect at a high level?
›
OAuth2: delegated authorization framework (access tokens for APIs). OIDC: identity layer on OAuth2 - ID tokens (JWT) assert who the user is. "Login with Google" is typically OIDC; calling APIs with scopes is OAuth2.
03What is RBAC vs ABAC?
›
RBAC: roles bind permissions to job functions (simple, auditable). ABAC: policies on attributes (department, resource tags, time) - flexible, harder to reason. Kubernetes RBAC is classic RBAC; AWS IAM conditions lean ABAC-ish.
04What is SSO and why use SAML or OIDC federation?
›
SSO: one IdP login for many apps. SAML common in enterprises; OIDC modern for cloud-native. Central offboarding, MFA enforcement, audit trails - reduces scattered local passwords.
05What is a confused deputy problem in cloud IAM?
›
A privileged service (deputy) can be tricked into acting on attacker's behalf if resource policies/trust boundaries are wrong. Mitigate with source ARN/account conditions, scoped session policies, and avoiding overly broad sts:AssumeRole trusts.
⊖
LEAST PRIVILEGE & GOVERNANCE5 questions
06State the principle of least privilege.
›
Grant only the minimum permissions required for a task, for the minimum time. Applies to humans, CI roles, and runtime service accounts. Review periodically as systems evolve.
07What are AWS SCPs and how do they differ from IAM policies?
›
SCPs are organization guardrails - they limit maximum permissions; they do not grant rights by themselves. IAM policies grant/deny within the SCP boundary. Even root in a member account cannot exceed SCPs.
08What is a break-glass or emergency access pattern?
›
Highly audited, MFA-protected role for catastrophic lockouts - rarely used, session recorded, alerts to security. Avoid daily use; pair with regular access reviews.
09What is separation of duties in DevOps pipelines?
›
Different principals for deploy vs production data access; approvals for production changes; CI cannot read prod secrets for dev jobs. Prevents single compromised token from owning everything.
10How do you audit effective permissions in a large AWS org?
›
IAM Access Analyzer, CloudTrail for API calls, periodic access reviews, Service Control Policies inventory, Permission Boundaries for high-risk roles, automated reports on unused permissions, central logging to immutable store.
◆
SECRETS & ZERO TRUST5 questions
11Where should secrets live instead of Git or .env in images?
›
Secret managers (Vault, AWS Secrets Manager, GCP Secret Manager), Kubernetes Secrets (encrypted at rest + RBAC), CI secret stores, or short-lived tokens from IdP. Never commit; rotate on leak.
12What is zero trust in one sentence?
›
Never trust the network; verify identity and device for every access decision with least privilege - "verify explicitly."
13What is mTLS and why use it service-to-service?
›
Mutual TLS: both client and server present certificates - strong service identity beyond bearer tokens on a flat network. Common in service meshes; reduces lateral movement if a pod is compromised.
14What is secret sprawl and how do you reduce it?
›
Duplicate secrets across repos, k8s namespaces, and teams - rotation nightmare. Centralize in vault with dynamic secrets, standardize injection patterns, automate rotation, delete unused credentials.
15Compare static API keys vs OIDC workload identity for CI/CD to cloud.
›
Static keys on runners are long-lived and leak-prone. OIDC federation (GitHub Actions to AWS/GCP) exchanges short-lived tokens - no stored cloud keys. Prefer OIDC for greenfield pipelines.
☸
KUBERNETES & CONTAINER SECURITY5 questions
16What do Pod security standards / restricted policies enforce?
›
Non-root user, drop capabilities, read-only root FS, no privilege escalation, seccomp profiles - reduce container breakout impact. Align with CIS benchmarks and PSP successors (PSA labels).
17Explain Kubernetes RBAC objects.
›
Role/ClusterRole: sets of verbs on resources. RoleBinding/ClusterRoleBinding: attach roles to users, groups, or ServiceAccounts. Prefer namespace Roles over ClusterRole where possible.
18What is admission control and give examples.
›
Webhook or built-in controllers that mutate/validate requests before persistence - OPA/Gatekeeper, Kyverno, image signature verification. Enforce labels, block latest tags, require resources limits.
19What is a service account token misuse risk?
›
Default tokens mounted into pods may be over-permissive if RBAC broad. Prefer bound tokens, short TTL, minimal ClusterRoleBindings, and disable auto-mount when unused.
20How would you respond to a suspected container breakout?
›
Isolate node (cordon/drain), snapshot for forensics, revoke credentials that node could reach, rotate secrets, patch CVE, review seccomp/AppArmor profiles, incident ticket with timeline, postmortem on blast radius.
⛨
APPSEC & SUPPLY CHAIN5 questions
21What is SAST vs DAST vs dependency scanning?
›
SAST: static code analysis (early, false positives). DAST: attack running app from outside. SCA: known vulnerable libraries (SBOM). Run multiple layers in CI.
22What is an SBOM?
›
Software Bill of Materials - inventory of components and versions. Enables rapid CVE response (Log4j-style). Formats: SPDX, CycloneDX. Generate in CI, store with artifacts.
23What is signing container images and why?
›
Cryptographic signature (cosign/sigstore) proves image provenance and integrity. Admission controller verifies signature before deploy - prevents running tampered images from a compromised registry.
24What is a WAF and when not to rely on it alone?
›
Web Application Firewall filters HTTP threats (SQLi, XSS patterns). Not a substitute for secure code, authz checks, or patching. Tune rules to avoid blocking legitimate traffic.
25Describe shift-left vs shift-right security in DevOps.
›
Shift-left: tests and reviews earlier in dev (lint, unit security tests, threat modeling). Shift-right: production detection (SIEM, runtime alerts, canaries). Balance: prevent regressions early, detect novel attacks in prod.
✓
COMPLIANCE & INCIDENTS5 questions
26What is CIS benchmarking for cloud/Kubernetes?
›
Hardening checklists - disable public S3, enable audit logs, restrict API server access. Automate checks (kube-bench, Prowler, ScoutSuite). Evidence for SOC2/ISO audits.
27Why is immutable audit logging important?
›
Attackers who gain admin cannot delete evidence if logs stream to WORM storage or separate account with append-only policy. Required for forensics and compliance.
28What is data classification and why does it matter for IAM?
›
Labels (public, internal, PII, PCI) drive who can access, encryption requirements, and logging redaction. IAM policies and resource tags should align with classification.
29How do you design IAM for a multi-tenant SaaS on Kubernetes?
›
Strong namespace isolation, NetworkPolicies, separate ServiceAccounts per tenant where needed, encrypt secrets per tenant, avoid shared cluster-admin, consider hard multi-tenant vs cell-based architectures for largest customers.
30What is the first 15 minutes of a credential leak response?
›
Revoke/rotate leaked creds immediately, scope what APIs were callable, check CloudTrail/git logs for misuse, notify stakeholders, temporary blocks if needed, post-incident full rotation and root-cause (committed key, overly broad token).