Explain how you would design a secure, private EKS cluster with no public API endpoint.
AWS · Advanced level
Answer
For a private EKS cluster, I disable public API endpoint access, use private subnets, private connectivity for admins, VPC endpoints or controlled egress, scoped IAM, RBAC, private image pulls, and centralized logs.
Technical explanation
Private EKS clusters often fail operationally because required VPC endpoints for ECR, STS, logs, SSM, or Secrets Manager are missing.
Multi-account governance should combine preventive controls such as SCPs with detective controls such as Config, GuardDuty, Inspector, Security Hub, CloudTrail, and Access Analyzer.
Central security, logging, and networking accounts reduce blast radius and protect evidence from workload account compromise.
Every control needs an owner, exception process, alert route, and remediation workflow or it becomes shelfware.
Hands-on example
1. Create a multi-account sandbox or use separate dev/security/logging accounts to test the control pattern.
2. Enable the relevant organization-level service or guardrail, then generate a controlled finding or denied action.
3. Route findings to Security Hub, EventBridge, ticketing, SIEM, or an incident channel with ownership metadata.
4. Document the exception process, remediation automation, and evidence required for audit.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?