Having interviewed dozens of candidates, this is a list of topics that I typically expect any cloud architect to be able to answer. The focus is on hands-on expertise – not diagrams and exam questions. To that end, most of these questions can reveal the extent of a candidate’s hands-on experience (originally published here on medium – https://medium.com/public-cloud-security/everyone-is-a-cloud-architect-f20328e1153e )
Over the last few years, I have been more involved with interviewing candidates (as well as interviewing for positions myself).
To that end, this post captures some of the topics that a true cloud architect should be able to spell out in detail.
Note — You are free to use these in your interviewing sessions, but remember, this post only contains only topic ideas i.e. questions, without the answers…
Cloud Infrastructure Topics, Interview Questions
Infrastructure Intermediate — A VPN Tunnel is to be shared across multiple accounts (AWS), or multiple Projects (GCP) or Multiple Subscriptions (Azure). Give two different ways to accomplish this with pros and cons of each approach
Infrastructure Basic — Describe an approach that only lets authorized users from authorized VMs access resources in a subscription.
Infrastructure Basic — Launch Templates, Custom VM Images. Describe the use case and the advantages of building custom launch templates through custom ‘golden images’
Infrastructure Basic — Is a Direct Connect (or Express Route or Cloud Interconnect) traffic encrypted? Why or Why not?
Infrastructure Intermediate — Auto Scaling Groups — I need to add different instance types to my AWS Auto Scaling group. Is this possible? If so, how?
Infrastructure Advanced — How would you move a Live Production VM from one subnet to another? Without any downtime?
Infrastructure Advanced — AutoScaling Instances based on Size of SQS Queue — Suppose I want to spawn EC2 instances based on the number of messages in an SQS queue… For 10,000 messages, spawn 2 Instances, 20,000 messages, spawn 4 instances…….and so on. Once the queue is completely processed, the instances would need to be terminated. Describe how one could accomplish this.
Cloud Monitoring Topics , Interview Questions
Basic — Quickly determine the last person to log in to the subscription / account.
Basic — How would you create alerts tied to a specific user login?
Intermediate — What services could be used to check for non compliant resources? And what services could help you automatically remediate those resources?
Cloud IAM Topics, Interview Questions
Describe what roles are needed to:
a) Basic — Administer EVERYTHING including IAM users and cloud resources
b) Basic — Read (Audit) access to all cloud resources
c) Intermediate — Audit ALL security related events and resources
d) Intermediate — Perform Remediation on resources
e) Intermediate — Allow a PaaS service (e.g. RDS) to write to a log (e.g. Cloudwatch log)
Cloud IAM Intermediate — Describe how a user OUTSIDE of your organization can be granted access to the cloud hosted resources?
Cloud IAM Intermediate- Assume that any resource access keys (e.g. EC2 access keys) are NOT allowed to be stored on your computer (or any on premises resource). How can a user still be provided access to needed cloud resources?
Cloud IAM Intermediate- Cross Account Access. Resources in an AWS Account A need access to Account B. (Same question for Cross Project access in GCP and Cross Subscription Access in Azure). How would you accomplish this?
Cloud IAM Advanced — Short Term Tokens. What are short term tokens? Devise a strategy using Short Term Tokens that would prevent any ‘human users’ from performing any DIRECT action on a cloud resource (i.e. the action would need to be performed by another identity….what would that be?). How could you further restrict that ‘human user’ to only request access tokens from an on premises IP Address?
3-Tier App Hosting on the Public Cloud
How would you map each tier to AWS (or GCP/Azure) ? Discuss Scale Out and Scale Up of each tier.
Dynamic DNS allows you to direct your domain or a subdomain to a resource that is behind a gateway that has a dynamically assigned IP address.
Describe the traffic flow for an internet facing app hosted on AWS (or Azure, GCP). Each layer can be either an IaaS component (e.g. firewall appliance on a VM) OR a PaaS service (e.g. a firewall service)
RDS (DBaaS) Services
RDS Basic — What can an on premises DBA NOT do on an RDS Instance (or Cloud SQL or SQL Azure)?
RDS Backup and Restore — Can you restore individual databases in RDS?
RDS Backup and Restore— Are RDS restores ‘point in time’ or only up to the last snapshot?
RDS Intermediate — Give at least two different ways of moving data to an RDS / Cloud SQL / Azure SQL Instance
RDS Intermediate — What is a read replica? What is a multi-AZ deployment? When do you need which?
Serverless (Azure Functions, AWS Lambda, GCP Cloud Functions)
Advanced — Debugging Lambda Functions — Is this possible? If so, how?
Advanced — Lambda and long running tasks— Lambda currently has an execution time limit of X minutes. Say you have a long running function that requires more than X minutes to run. How would you design your Lambda + whatever AWS services to execute this function?
Infrastructure Security and Data Protection
Basic — What service would you use for Threat Detection? For Vulnerability Scanning? For Cloud Assets Inventory?
Basic — Describe how you could get alerted on an infrastructure threat and how you might have an automatic remediation (e.g. an overly lax firewall rule)
Advanced— PaaS endpoints are public. How would you ‘lock down’ a PaaS service, so it is only accessible by on premises IP Addresses?
Intermediate – What service would you use for Certificate Management in AWS? GCP? Azure?
Advanced — Describe how a certificate can be provisioned and renewed for a) A PaaS service (e.g. ELB, CDN, API Gateways) and b) A server (say EC2 instance).
Intermediate — What is the difference between a DEK (data encryption key), a KEK (a Key Encryption Key) and a CMEK (Customer Managed Encryption Key)?
Advanced — How would you use a cloud encryption service to encrypt on premises workloads?
Summary
By no means is this post meant to pick on anyone’s cloud specific skill set (each of us is always learning…). And it isn’t meant to serve as an authoritative interview questions list.
It does, in my opinion, cover the bases. IAM, Monitoring, Basic Infrastructure, Basic Security, 3 Tier App hosting — these are essentials.
Certain advanced topics such as building data pipelines, kubernetes clusters or advanced messaging solutions using cloud native services — are intentionally not included in this list (though I would love to hear your question list in the comments below).
While the list covers ‘essential’ topics, only a handful of the questions above can be answered without the hands-on experience.
Thoughts? Comments? Do you have a favorite method to gauge an architect’s skill set?
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...