Code Room
On-callMedium
Question
Your cloud security posture tool fires a HIGH alert at 11:20: an S3 bucket named prod-user-uploads has a bucket policy granting s3:GetObject to Principal '*' and Block Public Access was disabled on it 9 days ago by an automated Terraform apply. Access logs show ~3,000 GET requests from outside your VPC over the past week, including listings of object keys that follow the pattern userid/document.pdf. The bucket holds user-uploaded ID documents. You're on call. Triage and contain.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.