Cloud engineer role-specific interview questions

As asked

You inherit a cloud estate where every team uses admin-like roles in a shared account. How would you redesign access without blocking delivery?

Sample answer outline

Start by separating environments and blast radii: production from non-production, shared platform from application accounts, and human access from workload identity. Define roles around actions people actually need, then enforce least privilege with permission boundaries, short-lived credentials, and break-glass access that is audited. Use infrastructure-as-code and policy-as-code so access changes are reviewed, repeatable, and testable. Strong answers mention migration sequencing because cutting everyone over in one move usually breaks deployments. Candidates often trip up by describing perfect IAM theory without a path from the current unsafe state.

Expect these follow-ups

• How do you handle a senior engineer who insists they need admin for debugging?
• Where would you use service control policies or organisation policies?
• What audit signals tell you the new model is working?

As asked

Your monthly cloud forecast jumps by 45 percent over a weekend. What do you check first, and how do you stop it happening again?

Sample answer outline

Break the bill down by service, region, account, tag, and usage type before guessing. Common causes are runaway data transfer, NAT gateway traffic, oversized compute, forgotten test clusters, log ingestion, or a warehouse job scanning far more data than expected. Stop the bleeding with quotas, budgets, anomaly alerts, and temporary scaling caps where they are safe. Then fix ownership: mandatory tags, showback or chargeback, and pull-request visibility for expensive infrastructure changes. The interviewer wants pragmatism, not just 'buy savings plans', because commitments can lock in waste.

Expect these follow-ups

• Which cost category is hardest to allocate back to a team?
• When do savings plans make the problem worse?
• How would you explain this incident to finance without hiding the engineering details?

As asked

A company says it has nightly backups but has never restored them. What backup and restore strategy would you put in place?

Sample answer outline

Define RPO and RTO first because backup frequency and restore architecture follow from business tolerance. Use automated full backups plus continuous WAL or binlog archiving for point-in-time recovery, encrypted and stored in a separate failure domain. Test restores regularly into an isolated environment and measure how long the restore takes, whether credentials and extensions work, and whether applications can connect. Include corruption, accidental delete, regional failure, and operator error scenarios. The trap is treating backup creation as success; recovery is the product.

Expect these follow-ups

• How do you test restore without exposing production data broadly?
• What is your plan for a bad migration that corrupts data but continues for six hours?
• How do backups interact with GDPR deletion requirements?

As asked

Traffic to your public service suddenly starts routing through an unexpected provider and latency triples. How would you investigate and respond to a possible BGP route leak?

Sample answer outline

Start with external visibility: route collectors, looking glasses, RPKI status, traceroutes from multiple regions, and provider status channels. Confirm whether your prefixes are being originated or propagated incorrectly, then work with upstream providers to filter or withdraw bad routes. Ensure your own route objects, ROAs, prefix filters, and max-prefix limits are correct before blaming the internet. Mitigate user impact with traffic engineering, alternate providers, or CDN routing where available. Candidates should understand that BGP convergence and provider coordination are operational realities, not instant local fixes.

Expect these follow-ups

• How does RPKI help, and what does it not prevent?
• What prefix filtering would you expect from a responsible upstream?
• How would you communicate customer impact during a routing incident?