Interview › Security & DevSecOps
How would you enforce a policy like 'no public S3 buckets' as code? [Intermediate]
Answer
To enforce 'no public S3 buckets' as code, I would check Terraform or CloudFormation before deployment and also monitor deployed AWS resources continuously. The policy should deny public ACLs, public bucket policies, and missing block-public-access settings.
Technical explanation
CI/IaC enforcement prevents new violations before they reach production.
Runtime CSPM detects drift or changes made outside IaC.
Exceptions should be explicit, time-limited, approved, and limited to reviewed public assets.
Hands-on example
Conftest/Rego sketch:
deny[msg] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket_public_access_block"
resource.change.after.block_public_acls == false
msg := sprintf("S3 bucket %s must block public ACLs", [resource.name])
}
Run against terraform show -json plan.out before apply.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]