Code Room
On-callHardoc-g604
Subject Security privilege escalationLevel Senior–Staff~40 minCommon in Security interviewsIndustries Technology, IT services

Question

Your cloud audit-log anomaly detector pages at 02:50: an IAM principal belonging to a low-privilege CI build role performed a sequence in 90 seconds — iam:CreateAccessKey for an admin user, iam:AttachUserPolicy attaching AdministratorAccess to a newly created user, then sts:AssumeRole into the prod admin role and ec2:DescribeInstances across all regions. The build role should only be able to push to one ECR repo. No human was on shift. You're the on-call security engineer. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.