Interview › Security & DevSecOps
How do you manage and rotate SSH and API keys at scale? [Advanced]
Answer
At scale, I manage SSH and API keys by reducing static keys, centralizing issuance, enforcing short lifetimes, rotating automatically, inventorying ownership, detecting unused keys, and using alternatives such as SSO, certificates, OIDC, and workload identity.
Technical explanation
For SSH, prefer short-lived SSH certificates or SSO-backed access over permanent authorized_keys sprawl.
For API keys, store them in a secret manager, assign owners, rotate on schedule, and alert on unusual use.
Keys should have least privilege, expiration, environment scope, and automated revocation when employees or services offboard.
Hands-on example
Hands-on: replace long-lived bastion SSH keys with Teleport or OpenSSH certificates valid for 8 hours. For cloud APIs, remove static IAM user keys and use OIDC/workload identity. Run a weekly job that flags keys older than 90 days or unused for 30 days.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]