Cloud Engineer Interview Questions

Our AWS bill was climbing without matching growth. I pulled Cost Explorer data, found over-provisioned instances and forgotten resources, then rightsized, bought savings plans for steady workloads, and added tagging to enforce ownership. We cut spend from $310K to $190K a month. I made it stick by adding budget alerts so cost stayed visible, not just a one-time cleanup.

A Terraform apply accidentally replaced a security group and dropped production traffic. I rolled back immediately using state and the prior plan, restored service in minutes, then added a required plan-review and a policy check to block destructive changes to networking. The incident taught me to gate high-blast-radius changes, and we never had a repeat.

A team was hand-clicking environments in the console and constantly hitting drift. Rather than mandate Terraform, I codified one of their painful environments and showed them how a new one spun up in 20 minutes reproducibly. Once they saw it, they asked to migrate the rest. Demonstrating the value beat dictating the standard.

A revenue service ran in a single AZ and was a clear single point of failure. I re-architected it across multiple AZs with health-checked load balancing and tested failover with a game day. Soon after, a real AZ disruption hit and customers never noticed. Proactively removing single points of failure paid off in a live event.

Developers wanted broad IAM permissions to move fast. Instead of slowing them down with tickets, I built reusable least-privilege Terraform modules they could self-serve. They got speed and we kept guardrails. The trick was making the secure path the easy path rather than relying on review gates.

Engineers kept opening tickets for routine infra changes. I ran a short internal workshop on our Terraform modules and wrote a 'paved road' guide for common patterns. Within a month most teams self-served their changes safely. I measured success by the drop in infra tickets and the rise in PRs from product teams.

I'd run stateless app containers in an autoscaling group or Kubernetes across at least two availability zones behind a load balancer, with a managed multi-AZ database and read replicas. Static assets go to object storage fronted by a CDN. Autoscaling responds to CPU and request metrics, and I'd add health checks for automatic instance replacement plus infrastructure-as-code so the whole stack is reproducible.

I'd use IAM roles scoped to least privilege rather than long-lived keys, and assign workload identities (IRSA on EKS or workload identity on GKE) so services get short-lived credentials automatically. Network-wise I'd segment with VPCs, security groups, and private endpoints so services aren't internet-exposed. Service-to-service traffic gets mTLS via a mesh where the threat model warrants it.

Terraform tracks the real-world resources it manages in a state file mapping config to actual infrastructure IDs. It uses state to compute the diff between desired and current and to plan changes. In teams you store state remotely (e.g. S3 with DynamoDB locking) so it's shared and locked, preventing two applies from corrupting it. Losing or mismanaging state is the most common way infra changes go wrong.

I'd check whether it correlates with autoscaling events or node pressure, then look at pod resource limits causing CPU throttling or OOM restarts. I'd inspect readiness probes and whether traffic hits unready pods, plus DNS resolution latency, which is a common hidden culprit. Metrics from Prometheus and traces narrow it from a vague 'slow' to a specific layer quickly.