Cloud Security (InfoSec) Specialist interview questions

I've been in security for eight years, with the last four focused on cloud security and three of those in Oman. Started in network security at an Indian managed services provider, moved into AWS security architecture, and for the past three years I've been a cloud security specialist at an Omani bank where we run a hybrid Azure and AWS environment. I hold AWS Security Specialty, Azure Security Engineer, and CISSP. My day-to-day: cloud security architecture review, IAM and identity controls, posture management, and incident response for cloud-specific events.

Continuous: a CSPM tool (we use Wiz; Prisma or Defender for Cloud also viable) scans every resource and configuration against benchmark policies (CIS, NIST, our own custom rules). Findings prioritised by severity and exploitability. Critical findings on internet-facing resources: same-day remediation. Lower priority: 30-day SLA. Beyond the tool: I track risk trend over time. If we're accumulating misconfigurations faster than we're fixing them, that's an organisational issue, not a tool issue. Monthly reporting to the CISO. The goal is shifting left so misconfigurations don't reach production.

Several layers. Source: protected branches, signed commits, mandatory review. Build: pipelines run in ephemeral isolated containers. Dependencies scanned for vulnerabilities (Snyk or Trivy) failing the build for critical CVEs. Infrastructure as code scanned with tools like Checkov to catch misconfiguration before deployment (public buckets, open security groups, etc.). Container images signed with cosign and stored in private registries. Secrets never in pipeline files; pulled from Key Vault or Secrets Manager at runtime with short-lived tokens. Deploy access: separate service identities for dev/staging/prod with least privilege. Audit logs from CI for compliance.

Centralised identity through Azure AD (or AWS SSO) as the single source. Every user gets role-based access, no individual permissions. Roles defined per job function, mapped to AD groups. Privileged access (admin roles) requires just-in-time elevation with approval workflow; nobody has standing admin access. MFA enforced everywhere. Service-to-service: managed identities or IAM roles, never long-lived access keys. Regular access reviews: quarterly per role, immediate on role change. Logging: every IAM action goes to SIEM. Recovery procedures: documented break-glass accounts under multi-person control.

Embed early, not late. I'm in architecture reviews from week one, not summoned at the end for sign-off. I respond fast to security questions; the worst security teams take three days for a yes/no answer. I treat business asks as legitimate even when the answer has to be no; I always propose an alternative. I'm available for office hours where teams can ask anything. The trust earned through hundreds of small positive interactions is what lets security function as a partner rather than as gatekeepers.

For a senior cloud security specialist role in Oman banking I'd target OMR 2,000 to 2,500 total package depending on the cloud platform breadth and on-call expectations. Multi-cloud roles and those with active incident response command a premium. I'm on 60 days' notice. Beyond pay I'd value the security culture; in some orgs security is partnered, in others it's tolerated; the difference matters enormously to the role's effectiveness and my job satisfaction.