HireHireInterview Quizzes › Cloud Engineer

Cloud Engineer Interview Questions

Think you're ready? These are the questions that actually decide Cloud Engineer interviews. Warm up on Easy — then face the Hard round, where 95% of candidates crumble. 30 questions across 3 levels, instant score, completely free.

30Questions
3Difficulty levels
95%Fail the hard round
FreeInstant score
Easy
Warm-up · 10 Qs
Medium
Practical · 10 Qs
Hard
Brutal · 10 Qs
⚡ Take the Cloud Engineer quiz — get your score →

The Cloud Engineer interview questions

Below are the real questions, grouped by difficulty. Expand any one to reveal the correct answer and why — or take the timed quiz for a score you can share. Can you clear the Hard round?

Easy round 10 questions

In AWS, what is the primary purpose of a Security Group?
  • A. To act as a stateful virtual firewall controlling inbound and outbound traffic at the instance level ✓
  • B. To store and rotate database credentials automatically
  • C. To provide DNS resolution for resources inside a VPC
  • D. To distribute incoming traffic across multiple EC2 instances
Correct answer: A. A Security Group is a stateful virtual firewall that controls inbound and outbound traffic for resources such as EC2 instances.
Which characteristic best distinguishes Infrastructure as a Service (IaaS) from Platform as a Service (PaaS)?
  • A. IaaS provides only pre-built SaaS applications, while PaaS provides raw hardware
  • B. IaaS gives you virtualized compute, storage, and networking that you manage, while PaaS also manages the runtime and OS for you ✓
  • C. IaaS and PaaS are identical and the terms are interchangeable
  • D. IaaS is always on-premises, while PaaS is always cloud-hosted
Correct answer: B. IaaS delivers virtualized infrastructure the user manages, while PaaS additionally abstracts the OS and runtime so developers focus only on code.
What does Terraform's 'state file' primarily track?
  • A. The billing charges accrued by provisioned resources
  • B. The mapping between resources defined in configuration and real-world resources it manages ✓
  • C. The version history of every code commit
  • D. The runtime logs of running applications
Correct answer: B. Terraform's state file records the mapping between your declared configuration and the actual provisioned resources so it can plan changes.
A stateless web application needs to automatically scale based on CPU load. Which AWS service handles adding and removing EC2 instances?
  • A. Amazon CloudFront
  • B. AWS Auto Scaling Group ✓
  • C. Amazon Route 53
  • D. AWS CloudTrail
Correct answer: B. An Auto Scaling Group automatically launches or terminates EC2 instances to match demand based on defined scaling policies.
In Kubernetes, what is the role of a Service object?
  • A. It stores persistent data for stateful applications
  • B. It provides a stable network endpoint and load-balances traffic across a set of Pods ✓
  • C. It defines the container image and resource limits for a Pod
  • D. It schedules Pods onto specific worker nodes
Correct answer: B. A Kubernetes Service provides a stable IP/DNS endpoint and load-balances requests across the Pods matching its selector.
Which storage option is most appropriate for storing large amounts of unstructured objects like images and backups in AWS?
  • A. Amazon EBS
  • B. Amazon S3 ✓
  • C. Amazon RDS
  • D. AWS instance store
Correct answer: B. Amazon S3 is object storage designed for durable, scalable storage of unstructured data like images, videos, and backups.
What is the main benefit of using a load balancer in a cloud architecture?
  • A. It encrypts all data stored on disk automatically
  • B. It distributes incoming traffic across multiple servers to improve availability and fault tolerance ✓
  • C. It reduces the storage cost of database backups
  • D. It compiles application source code before deployment
Correct answer: B. A load balancer spreads incoming requests across multiple healthy backends, improving availability, scalability, and fault tolerance.
In AWS IAM, what is the recommended way to grant an EC2 instance permission to access an S3 bucket?
  • A. Hard-code an IAM user's access keys into the application code
  • B. Attach an IAM role with the required permissions to the EC2 instance ✓
  • C. Store the root account credentials on the instance
  • D. Make the S3 bucket fully public
Correct answer: B. Attaching an IAM role provides temporary, automatically rotated credentials to the instance without embedding long-lived keys.
Which HTTP status code range indicates a server-side error?
  • A. 2xx
  • B. 3xx
  • C. 4xx
  • D. 5xx ✓
Correct answer: D. 5xx status codes (e.g., 500, 502, 503) indicate the server failed to fulfill a valid request.
What does 'idempotency' mean in the context of infrastructure automation tools like Ansible or Terraform?
  • A. Running the same operation multiple times produces the same end state without unintended changes ✓
  • B. Each run provisions brand-new resources regardless of current state
  • C. The tool must be run exactly once or it will fail
  • D. Operations are executed in random order for load distribution
Correct answer: A. Idempotency means applying the same configuration repeatedly converges to the same desired state without duplicating or altering resources unnecessarily.

Medium round 10 questions

A web server EC2 instance in a public subnet cannot be reached from the internet, even though its security group allows inbound HTTP (port 80) from 0.0.0.0/0. The instance has a public IP. What is the MOST likely cause?
  • A. The subnet's route table has no route to an Internet Gateway ✓
  • B. The security group is missing an outbound rule for port 80
  • C. The instance needs an Elastic IP instead of a public IP
  • D. The instance type does not support public networking
Correct answer: A. A public subnet requires a route table entry directing 0.0.0.0/0 traffic to an Internet Gateway; without it, the instance is unreachable regardless of its public IP or security group.
You want to grant an EC2 application running on an instance permission to read objects from an S3 bucket. What is the recommended AWS practice?
  • A. Attach an IAM role to the EC2 instance with an S3 read policy ✓
  • B. Store an IAM user's access keys in the application's config file
  • C. Make the S3 bucket public and restrict by the instance's IP
  • D. Use the AWS account root credentials in an environment variable
Correct answer: A. Attaching an IAM role to the instance provides temporary, automatically-rotated credentials, avoiding the risk of hardcoding long-lived access keys.
A containerized application reads its database password from an environment variable. Which approach best keeps this secret out of the Docker image and source control?
  • A. Inject the secret at runtime from a secrets manager or orchestrator secret ✓
  • B. Hardcode it in the Dockerfile using an ENV instruction
  • C. Bake it into the image and mark the image registry as private
  • D. Commit it to a .env file tracked in the Git repository
Correct answer: A. Injecting secrets at runtime (via a secrets manager or Kubernetes/ECS secret) keeps them out of the image layers and version control, where they would otherwise be recoverable.
Your Terraform apply fails midway, and the state file no longer matches real infrastructure. Before making changes, what is the safest first step to reconcile them?
  • A. Run terraform plan to see the difference between state and real resources ✓
  • B. Delete the state file and run terraform apply again
  • C. Manually edit the state file JSON to match reality
  • D. Run terraform destroy and recreate everything
Correct answer: A. terraform plan shows the drift between the recorded state and actual infrastructure without changing anything, letting you decide how to reconcile safely.
An Auto Scaling Group behind an Application Load Balancer is scaling out correctly under load, but new instances start receiving traffic before the app is ready, causing errors. What should you configure?
  • A. An ALB health check with an appropriate health check grace period ✓
  • B. A larger instance type for faster boot times
  • C. A scheduled scaling policy instead of dynamic scaling
  • D. A shorter health check interval on the instances
Correct answer: A. Configuring the load balancer health check plus a health check grace period ensures instances only receive traffic after they pass health checks and the app has finished initializing.
You need to store large volumes of infrequently accessed backup files at the lowest cost while still allowing retrieval within minutes when needed. Which S3 storage class is most appropriate?
  • A. S3 Glacier Flexible Retrieval (formerly Glacier) ✓
  • B. S3 Standard
  • C. S3 One Zone-Infrequent Access
  • D. S3 Glacier Deep Archive
Correct answer: A. Glacier Flexible Retrieval offers very low storage cost with expedited/standard retrievals in minutes to hours, unlike Deep Archive which takes up to 12 hours.
A Kubernetes pod is stuck in CrashLoopBackOff. Which command gives you the most direct insight into why the container is failing to start?
  • A. kubectl logs <pod> --previous ✓
  • B. kubectl get nodes
  • C. kubectl scale deployment <name> --replicas=0
  • D. kubectl describe service <name>
Correct answer: A. kubectl logs with --previous shows the output of the last crashed container instance, which typically contains the error causing the restart loop.
A CI/CD pipeline builds a Docker image on every commit, but builds are slow because dependencies are reinstalled each time. What is the most effective fix?
  • A. Order the Dockerfile so dependency installation happens before copying app code ✓
  • B. Use a larger build machine with more CPU
  • C. Combine all Dockerfile commands into a single RUN instruction
  • D. Disable the Docker build cache entirely
Correct answer: A. Placing dependency installation (a rarely-changing layer) before copying frequently-changing app code lets Docker cache the dependency layer across builds.
Two subnets in the same VPC cannot communicate with each other, though both have instances with correct security groups. What is the most likely misconfiguration?
  • A. A network ACL is blocking traffic between the subnets ✓
  • B. The VPC needs a peering connection between the subnets
  • C. The subnets are in different Availability Zones
  • D. The route table lacks the VPC's local route
Correct answer: A. Subnets in the same VPC route to each other automatically via the local route, so a restrictive Network ACL (which is stateless and applies per-subnet) is the likely blocker; peering is only needed across VPCs.
You are asked to reduce the blast radius of a compromised set of credentials for a service that only needs to write logs to one CloudWatch log group. Which IAM principle should guide your policy?
  • A. Least privilege — grant only the specific write action on that log group ✓
  • B. Grant CloudWatch full access for operational flexibility
  • C. Use a wildcard resource so future log groups are covered
  • D. Attach an AWS managed admin policy and monitor usage
Correct answer: A. Least privilege limits the policy to exactly the actions and resources needed, so compromised credentials can do minimal damage.

Hard round 10 questions

Two engineers run `terraform apply` against the same S3-backed state at nearly the same time, but the team disabled DynamoDB state locking to 'speed things up.' Engineer A's apply reads the state, then Engineer B's apply reads the same state, both plan against it, and both write. What is the most likely concrete failure?
  • A. Terraform automatically serializes the two applies because S3 is strongly consistent, so no corruption occurs
  • B. The second apply to finish overwrites the state file with a version that omits resources the first apply created, so those resources become orphaned/untracked ✓
  • C. Both applies fail immediately with a 409 Conflict from S3 before any resources change
  • D. The state file is fine, but the AWS provider rate-limits and one apply retries transparently
Correct answer: B. Without a lock, the last writer wins and clobbers the other's state, leaving real resources that Terraform no longer tracks (drift/orphans).
A pod is stuck in `CrashLoopBackOff`. `kubectl describe pod` shows `Last State: Terminated, Reason: OOMKilled, Exit Code: 137`, and the container has `resources.limits.memory: 256Mi` with no `requests` set. Which action most directly addresses the root cause?
  • A. Add a liveness probe with a longer `initialDelaySeconds` so the kubelet stops restarting it
  • B. Raise the memory limit (and set a matching request) to fit the app's real working set, or fix the leak causing it to exceed 256Mi ✓
  • C. Set `restartPolicy: Never` so the pod stops crash-looping
  • D. Increase the node's `--max-pods` so the scheduler places it on a larger node
Correct answer: B. Exit code 137 with OOMKilled means the cgroup memory limit was hit; the fix is sizing the limit to the real footprint or fixing excessive memory use, not probe or restart tweaks.
You have VPC-A peered to VPC-B, and VPC-B peered to VPC-C. An instance in VPC-A cannot reach an instance in VPC-C, even though routes and security groups look correct for each individual peering. Why?
  • A. VPC peering requires overlapping CIDR blocks to route transitively, which A and C lack
  • B. VPC peering is non-transitive; traffic cannot hop A→B→C through B, so you need a direct A↔C peering or a Transit Gateway hub ✓
  • C. Security groups cannot reference peer VPCs, so the packets are dropped at B
  • D. Peering only supports IPv6 transit, so the IPv4 path through B is blocked
Correct answer: B. VPC peering is non-transitive by design; the hub VPC won't forward between two peers, so you need a direct peering or a Transit Gateway.
In AWS, an IAM role has an identity policy granting `s3:*` on all buckets, but a permissions boundary attached to the role only allows `s3:GetObject` and `s3:ListBucket`. A user assumes the role and calls `s3:PutObject`. What happens, and why?
  • A. Allowed, because identity policies override permissions boundaries
  • B. Denied, because the effective permissions are the intersection of the identity policy and the boundary, and PutObject isn't in the boundary ✓
  • C. Allowed, because permissions boundaries only apply to the entity that created the role
  • D. Denied, but only if an SCP also denies PutObject; otherwise allowed
Correct answer: B. A permissions boundary caps maximum permissions; the effective set is the intersection with the identity policy, so an action absent from the boundary is denied even if the identity policy allows it.
A Lambda function behind API Gateway starts returning 429s under a traffic spike, and CloudWatch shows `Throttles` climbing while `ConcurrentExecutions` sits flat at 100. Reserved concurrency for the function is set to 100. What is happening?
  • A. The function hit its reserved-concurrency ceiling of 100, so additional simultaneous invocations are throttled ✓
  • B. Cold starts are exceeding the 15-minute timeout, causing 429 responses
  • C. The account ran out of ephemeral /tmp storage, which surfaces as throttling
  • D. API Gateway's default 10,000 RPS burst was exceeded, unrelated to Lambda concurrency
Correct answer: A. Reserved concurrency of 100 caps the function at 100 simultaneous executions; beyond that, Lambda throttles, which is exactly the flat-at-100 concurrency with rising throttles.
You want engineers in Account A to access an S3 bucket in Account B using short-lived credentials, with no long-lived keys stored anywhere. Which mechanism is correct?
  • A. Create an IAM user in Account B, generate access keys, and share them with Account A engineers
  • B. Create a role in Account B whose trust policy allows Account A's principals to `sts:AssumeRole`, and attach the S3 permissions to that role ✓
  • C. Add Account A's account ID to the bucket ACL and rely on ACL-based cross-account access
  • D. Enable S3 public access and restrict by referer header from Account A
Correct answer: B. Cross-account access with temporary credentials is done via a role in the target account with a trust policy permitting the source account to AssumeRole, yielding short-lived STS credentials.
A Terraform module `network` is referenced as `source = "...//modules/network"` with `version = "~> 2.0"`. Someone tags a new `2.4.0` that renamed an output and changed a subnet's `map_public_ip_on_launch` default. On the next `apply` in prod, what's the realistic risk?
  • A. Nothing changes, because `~> 2.0` pins to exactly 2.0.0 and ignores 2.4.0
  • B. The version constraint silently pulls 2.4.0, and the changed default plus renamed output can force subnet replacement / break downstream references ✓
  • C. Terraform refuses to run because minor upgrades always require `-upgrade` and manual approval per resource
  • D. The state lock prevents the module upgrade from taking effect until unlocked
Correct answer: B. `~> 2.0` allows any 2.x, so `terraform init -upgrade` (or a fresh init) can resolve 2.4.0, whose changed defaults/renamed outputs can trigger destructive plans in prod.
A service mesh is configured for strict mTLS between services, but one legacy pod without a sidecar suddenly can't reach a meshed service that it previously could. Which explanation is most consistent?
  • A. The mesh's strict mTLS mode now requires a client certificate the sidecar-less pod can't present, so its plaintext connections are rejected ✓
  • B. mTLS only affects egress, so ingress to the meshed service is unaffected and the problem must be DNS
  • C. Strict mTLS disables all NetworkPolicies, so the traffic is dropped at the CNI layer
  • D. mTLS encrypts payloads but never rejects connections, so the failure must be a resource limit
Correct answer: A. STRICT mTLS makes the server reject plaintext; a pod with no sidecar can't complete the mutual-TLS handshake, so its connections are refused (PERMISSIVE mode would have allowed them).
A client retries a non-idempotent 'create payment' POST after a network timeout, and the server had actually processed the first request. To prevent a duplicate charge while still allowing safe retries, the most robust design is:
  • A. Switch the endpoint to HTTP PUT, since PUT is always idempotent regardless of body
  • B. Have the client send a unique idempotency key; the server records it and returns the original result on any retry with the same key ✓
  • C. Add exponential backoff with jitter, which by itself guarantees no duplicate processing
  • D. Wrap the handler in a database transaction, which makes any repeated request a no-op automatically
Correct answer: B. A client-supplied idempotency key lets the server deduplicate retries at the application layer; backoff, PUT semantics, or a plain transaction alone don't stop a second distinct request from creating a second charge.
You run a stateless web tier behind an L7 load balancer with autoscaling. During scale-in, users report dropped in-flight requests and truncated downloads. Which fix targets the cause?
  • A. Switch from L7 to L4 load balancing so connections are faster to close
  • B. Enable connection draining / deregistration delay so terminating instances finish in-flight requests before removal ✓
  • C. Increase the health-check interval so instances are marked healthy longer
  • D. Set the autoscaling cooldown to zero so scale-in happens instantly
Correct answer: B. Connection draining (deregistration delay) lets a terminating target complete in-flight requests before the LB stops routing to it, preventing mid-request cutoffs.

Prep for another role

Questions are original, written and independently verified for HireHire's role interview quizzes. They reflect the kind of knowledge Cloud Engineer interviews test, not any specific company's questions. HireHire maps live tech & IT jobs across India, updated regularly. Last updated: July 2026.