How would you handle security and privacy concerns when working with sensitive data in a cloud environment?

Security and privacy require defense in depth with clear architectural rationale. Why: Regulatory risk (GDPR fines at 4% revenue, HIPAA breach penalties) and reputational damage outweigh any cost of over-investing. Architecture: Encrypt at rest with customer-managed KMS keys—SSE-KMS gives you CloudTrail audit trails for key usage, which compliance teams require; SSE-S3 does not. Encrypt in transit with TLS 1.2+ and enforce via bucket policies. Apply least-privilege IAM with role-based access; eliminate long-lived credentials—use workload identity federation for cross-account. Scalability trade-off: KMS has a default limit of 10,000 requests/sec per key—at high throughput, use data key caching or multiple keys. Cost: KMS costs $1/month per key plus $0.03 per 10K requests; at petabyte scale with millions of requests, this adds up—batch operations and key reuse matter. Use VPC endpoints to avoid data egress to the public internet. For PII/PHI, apply column-level encryption and dynamic data masking in non-production; tokenize payment data (PCI scope reduction). Segment data by sensitivity tier; use dedicated KMS keys per environment for blast-radius containment. Enable CloudTrail, Macie for automated discovery, and document data flows with lineage in a catalog. Result: At scale, we tiered 200+ TB of customer data across Standard/Glacier with CMK, reducing compliance audit findings from 12 to 0.