Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
System Security · Question Set
Cloud Sec interview questions for placements and exams.
Questions
15
Included in this set
Subject
System Security
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for System Security.
Envelope encryption uses short-lived data keys to encrypt content and then protects those data keys under a key encryption key managed by KMS. It scales and limits key exposure while keeping decryption under API control.
GenerateDataKey → use plaintext DEK to encrypt → store ciphertext DEK alongside data → decrypt via KMS when needed
For complete preparation, combine this set with full subject-wise practice for System Security. You can also explore other subjects and sets from the links below.
OWASP maintains a dedicated Top Ten for cloud-native threats that complements general web and API risks. It is useful for interviews and design reviews focused on containers and orchestration.
Use it to cross-check: identity, secrets, supply chain, workload isolation, and runtime protection
Authorize every request on the server. Check both object ownership and property-level rights before updates. Never trust client-side filtering. Use short-lived tokens and scopes. Rate-limit hot paths like login and resets. Log denies with context. Add tests for IDOR and mass-assignment. These steps address the top API risks and stop common data leaks early.
if (obj.owner !== auth.userId) return 403; const allowed = pick(req.body, editableFieldsFor(auth));
The cloud provider is responsible for security of the cloud, like data center, hardware, and the virtualization layer. Customers are responsible for security in the cloud, like configuration, identity, data, and workloads. Understanding this split prevents dangerous assumptions and audit gaps.
Rule of thumb: provider = infra layer; you = identity, config, data, app
S3 Block Public Access provides centralized switches at account, access point, and bucket levels to keep data from becoming public, even if a user sets a permissive policy. It is a default-on safety net for many orgs.
aws s3control put-public-access-block --account-id 123456789012 --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
IMDSv2 requires a token obtained via a local hop and enforces hop limits. This design reduces trivial metadata theft and credential exposure compared to IMDSv1. You can set new instances to require v2 only.
AWS CLI at launch: --metadata-options HttpTokens=required HttpEndpoint=enabled
Multi-Region trails record activity in all enabled Regions, including seldom-used ones, so you do not miss events or attacks that target an unexpected Region. This is a common best practice in AWS guidance.
aws cloudtrail create-trail --name org-trail --is-multi-region-trail --s3-bucket-name audit-logs
The Pod Security Standards define privileged, baseline, and restricted policies. The Pod Security Admission controller enforces these at the namespace level so pods meet your chosen profile.
kubectl label ns prod pod-security.kubernetes.io/enforce=restricted
Network policies define which pods can talk to which destinations and on which ports. They reduce lateral movement inside the cluster and support a Zero Trust posture.
spec: podSelector: {}; ingress: - from: - podSelector: {matchLabels: app:web} ports: - port: 5432API3:2023 merges earlier categories to stress that servers must check authorization not only at the object level but also for each writable field. Blind model binding without allowlists causes painful leaks and privilege flips.
allowedFields = ['name','email']; user.update(pick(req.body, allowedFields))
Managed Identities allow Azure resources to get access tokens from Microsoft Entra without hard-coding keys. This reduces secret sprawl and rotation effort while fitting into RBAC and conditional access.
az vm identity assign -g rg -n myvm // then grant the VM’s identity least-privilege role on target
GCP guidance recommends avoiding long-lived user-managed keys. Use workload identity and scoped roles, create single-purpose service accounts, and disable unused accounts to reduce lateral movement risk.
gcloud iam service-accounts disable svc@proj.iam.gserviceaccount.com // retire unused accounts
Start deny by default. Turn on S3 Block Public Access at the account and bucket levels so no policy can make data public by mistake. Use least-privilege IAM policies bound to roles, not users. Encrypt objects with KMS and audit key use. Enable CloudTrail with a multi-Region trail and log file integrity so you can track who did what and when. Add bucket policies that require TLS and a specific VPC endpoint if possible. Finally, monitor for policy drift and unusual access. This structure lowers exposure and improves auditability.
Bucket policy idea: aws:SecureTransport=true AND aws:SourceVpce in allowed_list; deny if not met
Enforce Pod Security Standards at restricted where possible, baseline elsewhere, using Pod Security Admission. Lock down network with namespace-scoped Network Policies so only required flows are allowed. Use minimal images, read-only root filesystems, and run as non-root. Rotate secrets and prefer external secret managers. Restrict node metadata access and audit RBAC for least privilege. Capture and ship audit logs. These steps reduce breakout, lateral movement, and credential theft in real clusters.
Namespace labels: pod-security.kubernetes.io/enforce=restricted; create default-deny netpol; allow only app→db ports
Create a multi-Region CloudTrail per account or an organization trail that feeds a central log bucket with strict access. Enable log file integrity validation. Forward to your SIEM with clear account and Region tags. Keep retention long enough for compliance and threat dwell time. This gives responders a single, trustworthy place to search and correlate events across environments.
OrgTrail → S3 audit bucket (write-only for accounts) → SIEM ingestion with account_id and region fields