Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Ethical hacking · Question Set
Cloud & Containers interview questions for placements and exams.
Questions
15
Included in this set
Subject
Ethical hacking
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for Ethical hacking.
IMDSv2 adds a hop-count aware session token. This reduces basic SSRF and open-proxy abuse. Pair it with egress controls and least-privilege roles.
aws ec2 modify-instance-metadata-options --http-endpoint enabled --http-tokens required --instance-id i-123456
For complete preparation, combine this set with full subject-wise practice for Ethical hacking. You can also explore other subjects and sets from the links below.
Use the S3 Block Public Access settings to prevent accidental exposure. Grant narrow roles to apps. Avoid object ACL reliance for private buckets.
aws s3control put-public-access-block --account-id 123456789012 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Prefer namespace-scoped permissions. ClusterRoleBinding grants rights across the cluster and can turn a small issue into full control.
kubectl create role viewer --verb=get,list,watch --resource=pods -n dev kubectl create rolebinding viewer-bind --role=viewer --serviceaccount=dev:app -n dev
PSS policies block privileged containers, host mounts, and risky capabilities. Start with baseline and aim for restricted for most workloads.
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
Use minimal, verified bases. Scan dependency layers and sign images so clusters can verify provenance before running them.
docker build -t registry/app:1.2.3 . cosign sign registry/app:1.2.3 trivy image --exit-code 1 registry/app:1.2.3
Keep secrets out of images and code. Fetch when needed, rotate often, and scope access with IAM or service accounts.
AWS: aws secretsmanager get-secret-value --secret-id app/db --query SecretString K8s: CSI Secrets Store driver to mount ephemeral secrets
Limit outbound so a compromised pod cannot freely reach metadata, unknown hosts, or exfil paths. Allow only the domains your app needs.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- to:
- namespaceSelector: { matchLabels: { name: dns } }Check service account tokens and permissions with kubectl using in-cluster config. List only what is allowed: namespace, pods, services, and roles. Never modify resources. Confirm if the pod can talk to the API server and which verbs work. Record exact commands and outputs. Stop if you hit errors that suggest missing rights; do not try to bypass controls.
kubectl auth can-i --list kubectl get ns kubectl get pods -A --field-selector=spec.nodeName=$(hostname)
Start read-only. List identity context, account or project info, and regions. Enumerate storage, compute, and IAM policies with describe or list only. Do not create, modify, or delete any resource. Capture resource ARNs, tags, and attached policies. Map trust relationships to understand privilege paths. Keep the session short-lived and log every call.
aws sts get-caller-identity aws ec2 describe-regions aws iam list-roles --max-items 50
Require auth for pull and push. Enforce signed images. Scan on push and block critical findings. Use immutable tags or content digests. Prune old images on a schedule. Keep secrets out of build args and labels. Monitor download patterns to catch abuse.
Policy: signed-only, immutable tags, block HIGH/CRITICAL, retention 90 days
Collect API audit logs, IAM auth events, and network flow logs. In clusters, enable audit logs, admission logs, and container runtime logs. Correlate with workload labels and trace IDs. Alert on sensitive actions like role changes, public bucket policy changes, and creation of long-lived keys. Keep logs tamper-resistant with write-once storage and defined retention.
Alerts: iam:UpdateAssumeRolePolicy, s3:PutBucketAcl public, k8s ClusterRoleBinding changes
Metadata services often hold tokens and role details for the instance. If an app allows server-side request forgery, attackers may reach metadata and fetch credentials. Lock down egress and use modern metadata protections.
AWS IMDSv2 example: curl -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600' TOKEN=... curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
Security Groups remember connections per host and simplify rules. Network ACLs work at the subnet boundary and require explicit inbound and outbound entries.
aws ec2 describe-security-groups aws ec2 describe-network-acls
Keep blast radius small. Scope each role to what it must do, add conditions like tags or source VPC, and favor temporary credentials via roles.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::corp-bucket/reports/*",
"Condition": { "StringEquals": { "aws:PrincipalTag/team": "analytics" } }
}]
}Verify control-plane version and auto-upgrade. Check node OS patching and minimal images. Ensure RBAC is on and audit logs are shipped. Enforce Pod Security Standards and NetworkPolicies. Lock cloud metadata access from pods. Confirm private endpoints and restricted API access. Review IAM roles for service accounts and restrict wildcard permissions.
kubectl version --short kubectl get ns --show-labels kubectl get networkpolicy -A