Interview › Security & DevSecOps
How do you audit who did what in your cloud and clusters (CloudTrail, audit logs)? [Advanced]
Answer
I audit who did what using cloud audit logs such as AWS CloudTrail, Kubernetes audit logs, CI/CD logs, IAM access analyzer data, Git history, and service-specific logs. Logs should be centralized, immutable or tamper-resistant, searchable, and retained according to compliance needs.
Technical explanation
CloudTrail shows AWS API calls, caller identity, source IP, time, request parameters, and result.
Kubernetes audit logs show API server actions such as create, update, delete, exec, and access to secrets.
Audit logs should feed alerts for high-risk actions such as disabling logging, creating admin keys, accessing secrets, or changing network exposure.
Hands-on example
Example detection: alert when an IAM user creates an access key outside the approved pipeline, when CloudTrail is stopped, when a Kubernetes Secret is read in production by an unusual identity, or when a cluster-admin binding is created.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]