Cloud Engineer
Interview Guide 2025

How cloud engineering interviews are structured

Cloud engineering interviews in the US typically run across four rounds. A recruiter screen focuses on your primary cloud provider depth and certifications. A technical screen covers core services, IAM, and networking fundamentals. A design round tests your ability to architect a specific solution — landing zone design, multi-region failover, data lake architecture. A final round with engineering leadership covers your approach to cost management, security posture, and operational excellence.

AWS architecture: what senior roles test

For AWS-focused roles, expect questions in three areas. Core services and their trade-offs: when do you use Aurora vs RDS vs DynamoDB? When do you use ECS vs EKS vs Lambda? How do you design for multi-region active-active? Networking: VPC design, Transit Gateway, PrivateLink, Direct Connect. Security: IAM least-privilege design, SCP structures in AWS Organizations, CloudTrail, Security Hub, GuardDuty. Senior roles almost always include a live architecture whiteboard where you design a complete AWS solution for a given scenario.

Azure and multi-cloud expectations

Azure-focused roles place heavy weight on Azure Active Directory (Entra ID), Azure Policy, Management Groups, and Azure Landing Zone design (the CAF). Bicep and ARM template authoring are more common in Azure interviews than Terraform, though Terraform + Azure is also common. Multi-cloud roles increasingly test conceptual equivalence — can you describe the Azure equivalent of AWS Transit Gateway? What are the trade-offs between AWS Cognito and Azure Entra ID B2C?

FinOps: the growing interview area

Cost optimisation knowledge is now expected at the senior level in most cloud engineering interviews. Expect questions on: Reserved Instances vs Savings Plans vs Spot instances (and when each is appropriate), Cost Explorer usage, implementing tagging strategies for cost attribution, right-sizing recommendations, and implementing cloud budget alerts. Engineers who can demonstrate experience reducing cloud spend by a specific percentage — with a clear explanation of the approach — are significantly differentiated.

Cloud security architecture

Cloud security is the fastest-growing sub-discipline in cloud engineering and increasingly tested even in non-security-specific roles. Key areas: IAM role and policy design (least privilege, role chaining, condition keys), VPC security groups vs NACLs vs firewall, encryption at rest and in transit (KMS, certificate management), compliance frameworks (SOC 2, PCI DSS, HIPAA) and how cloud controls map to them, and CSPM tooling (Prisma Cloud, Wiz, AWS Security Hub). Landing zone and guardrail design is the most common senior architecture question.

How to stand out in cloud engineering interviews

Three differentiators consistently separate strong candidates: first, specific cost impact — being able to say 'I redesigned our VPC architecture which reduced our NAT Gateway costs by 40%' rather than 'I worked on cost optimisation.' Second, genuine multi-cloud or at least dual-cloud exposure. Third, cloud security depth beyond basic IAM. The combination of architecture fluency, cost awareness, and security posture is what employers mean when they say 'senior cloud engineer.'