An engineer accidentally commits an active cloud credential and pushes it to your repo. Walk me through your response and what order you do things in.

technical-conceptual · Senior level · cloud-devops-security

What the interviewer is really asking

Assesses whether the candidate treats a committed live secret as compromised the instant it's pushed — rotate/revoke first, assess blast radius and check for use, then scrub history as secondary — and can reason about why deleting the commit is not remediation and how to prevent recurrence, rather than reaching for git history surgery first.

What to say

What to avoid

Example answers

Strong: A pushed secret is compromised the instant it lands, so step one is revoke and rotate the credential — until that's done, scrubbing Git is pointless because the key still works and scrapers hit public and even private leaks fast. Step two is blast radius: what could it reach, and pull CloudTrail to see if it was already used; if it was, that's an incident with a real severity, not a near-miss. Only then do I scrub history with filter-repo and invalidate forks and caches — that's hygiene, not the fix. Then I turn on push protection and pre-commit scanning so the next one never lands.

Weak: I'd remove the credential from the repo and rewrite the Git history with filter-repo so the commit is gone, then force-push the clean history. Once it's no longer in the repo the secret isn't exposed anymore, so that handles it.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.