Cloud architect is one of the most expensive hires in Indian IT staffing and one of the easiest to get wrong. A real cloud architect designs for cost, security, scale, and operations simultaneously, codes the infrastructure themselves in Terraform or CloudFormation, and has walked through at least one large migration. A fake cloud architect draws reference architectures from AWS blog posts, labels every component in pastel colors, and has never actually operated the systems they designed. The market is paying 45 to 90 lakhs per annum for senior cloud architects in Bangalore, Mumbai, and Hyderabad. At that price clients are unforgiving about fake credentials. The fastest screening question is "walk me through one specific cost optimization you executed that saved more than $10,000 per month." Real architects light up — they have war stories about Elastic IPs nobody claimed, S3 buckets with no lifecycle policy, over-provisioned RDS instances, or dev environments running 24 by 7. Fake architects give abstract answers about "rightsizing" with no specific dollar figure.
Has designed cloud setups beyond single-account, single-region. Understands AWS Organizations with SCPs, GCP folder hierarchies, or Azure management groups. Knows when to split accounts by environment, team, compliance zone, and billing. Has handled a real cross-account networking setup.
Has designed real IAM policies, role assumption patterns, cross-account access, and federation. Not "I gave the team admin access." Can explain the difference between resource-based and identity-based policies, when to use permission boundaries, and why least-privilege is harder than it looks.
Has reviewed real cloud bills (not just dashboards), knows the top five cost drivers for their last project, and has executed at least one significant cost optimization. Can name specific services, specific dollar amounts, and specific techniques (Reserved Instances, Savings Plans, Spot, S3 lifecycle, idle instance cleanup).
VPC design with subnets and route tables, VPC peering versus Transit Gateway, VPN and Direct Connect, private endpoints, security groups vs network ACLs. Many cloud problems reduce to networking problems; architects weak here create painful incidents.
Terraform, CloudFormation, Pulumi, or CDK. Has written infrastructure-as-code currently running in production. Knows state management, drift handling, and when to import existing resources. Can write a non-trivial module live in an interview.
AWS plus Azure, AWS plus GCP, or all three. Premium signal for true multi-cloud roles. Understands the real trade-offs — not every service has a direct equivalent, and lift-and-shift across clouds is rarely a week-long project.
SOC2, ISO 27001, PCI DSS, HIPAA, RBI guidelines for BFSI clients, or DPDP Act for Indian data. Reduces ramp on regulated workloads dramatically. Ask for specific audits they helped pass.
Has owned at least one large migration — lift-and-shift, replatform, or full refactor. Knows the realistic timeline (18 months, not six weeks) and the political challenges (sign-off, training, parallel-run cost).
Architects who still write code produce better designs than pure-PowerPoint architects. Ask when they last committed code, in what language, and whether the code is running in production.
Cloud financial management is a discipline. Architects with FinOps Certified Practitioner or equivalent understand that cost is an architectural concern, not an afterthought.
Walk me through a cloud architecture you designed end-to-end in the last 18 months. Whiteboard it. I want the trade-offs you made.
What to listen for
Specific design with named services, specific trade-offs (availability vs cost, complexity vs operational burden, regional redundancy vs data residency), operational metrics (latency, uptime, cost per month). Strong architects spontaneously mention something they would redesign today with current knowledge.
A team is spending $50,000 per month on AWS. You have one week to identify cost reductions. Where do you start and what tools do you use?
What to listen for
Cost Explorer for top-line breakdown, Trusted Advisor for obvious waste (unattached EBS, idle Elastic IPs, oversized RDS), Reserved Instances or Savings Plans for steady-state, S3 lifecycle for cold data, dev environment scheduling, untagged resource cleanup. Strong answers cite specific services and specific savings percentages from past work.
Design IAM for a 50-engineer team across 5 environments (dev, test, staging, prod, sandbox). Give me the structure.
What to listen for
Identity federation with SSO (Okta, Azure AD), role-based access with named roles per environment, least-privilege with deny-by-default, Service Control Policies at Organization level for guardrails, break-glass accounts with strong MFA, regular access review cadence. Not per-user accounts or shared credentials.
Describe a cloud security incident you responded to. What was the blast radius, what went wrong, what did you change afterward?
What to listen for
Specific incident — exposed S3 bucket, leaked access key, over-permissive security group, container breakout, IAM privilege escalation. Specific containment, root cause analysis, long-term prevention (new SCP, Config Rule, CloudTrail alert). "We have never had an incident" is disqualifying.
A team asks you to choose between RDS Postgres, Aurora Postgres, DynamoDB, and self-managed Postgres on EC2. How do you decide?
What to listen for
Workload characteristics drive the decision — access patterns, data model, consistency requirements, team operational capacity, cost at their scale. Not "Aurora is always better" or "use DynamoDB for everything." Strong architects ask clarifying questions first.
Design a disaster recovery strategy for a critical financial workload serving Indian customers. What are your RPO and RTO targets, and how do you validate them?
What to listen for
Multi-region active-passive or active-active based on RTO needs, regular failover testing (twice a year with real traffic), data replication matched to RPO, runbooks with specific people named, awareness that RBI data residency requires primary in India. Not "we have backups" without failover testing.
One cloud anti-pattern you see repeatedly at companies you consult with.
What to listen for
Specific anti-pattern with impact — snowflake EC2 instances, Kubernetes for workloads that should be Lambda, production secrets in environment variables, long-lived access keys, single account for all environments. Reveals depth and opinion.
You are asked to build a serverless application handling 1 million requests per day at peak. Walk me through the architecture and the cost model.
What to listen for
API Gateway plus Lambda plus DynamoDB or RDS Proxy, CloudFront for static assets, cost modeling with specific per-request pricing, cold start mitigation, concurrency limits. Strong candidates note when serverless is NOT appropriate (sustained high throughput, heavy compute).
Score each candidate against these weighted criteria. Total: 100%.
| Criterion | Weight | Signal |
|---|---|---|
| Production architecture | 30% | Designed and operated real architectures at scale. Can describe specific workloads with specific numbers. Not slideware. |
| IAM and security design | 20% | Real IAM design experience. Awareness of cloud security pitfalls. Has responded to a real incident. |
| Cost discipline | 20% | Has reviewed actual cloud bills. Executed real cost reductions with specific dollar impact. Understands Reserved Instances and Savings Plans. |
| Networking and connectivity | 15% | Designed VPC beyond defaults. Knows hybrid and multi-region patterns. Can whiteboard a VPC layout with route tables. |
| Operational mindset | 15% | Designs for day-2 operations — monitoring, alerting, incident response, upgrades. Not just build-and-hand-off. |
Architecture deliverables are diagrams only — has never personally operated the systems they designed
Cannot describe a specific cost optimization with specific dollar amount saved
Has never responded to a real cloud security incident — treats security as theoretical
Cloud-native vocabulary but "use every AWS service" aesthetic — signals vendor marketing rather than taste
Hostile to multi-cloud or serverless based on dogma rather than specific project experience
Upload Cloud Architect CVs and let AI score every candidate against the same 42-point evidence rubric.
Try CVPRO Free