InterviewStack.io LogoInterviewStack.io

Amazon Information Security Analyst (Mid-Level) Interview Preparation Guide

Information Security Analyst
Amazon
Mid Level
8 rounds
Updated 6/13/2026

Amazon typically uses a multi-round interview process for mid-level security roles. The process begins with recruiter screening, followed by 2 technical phone screens focused on incident response, SIEM tools, and cloud security, and concludes with 5 onsite rounds covering technical security depth, cloud architecture, threat detection, system thinking, and Amazon Leadership Principles.

Interview Rounds

1

Recruiter Screening

2

Technical Phone Screen 1: Incident Response & SIEM Deep Dive

3

Technical Phone Screen 2: AWS Security & Cloud Architecture

4

Onsite Round 1: Incident Response Deep Dive (Technical)

5

Onsite Round 2: Threat Detection & MITRE ATT&CK Framework (Technical)

6

Onsite Round 3: Cloud Architecture & Security Design (Technical)

7

Onsite Round 4: System Thinking & Workload Security Analysis (Technical)

8

Onsite Round 5: Amazon Leadership Principles & Behavioral (Culture Fit)

Frequently Asked Information Security Analyst Interview Questions

Detection, Monitoring, and Incident Response CapabilitiesMediumTechnical
52 practiced
Describe the lifecycle for creating, testing, deploying, and maintaining a SIEM detection use-case in a production SOC. Include requirements gathering, rule development, test data creation, tuning strategies, deployment practices, monitoring, and retirement criteria.
Alert Tuning and Detection EngineeringEasyTechnical
55 practiced
Describe five practical techniques you would apply to reduce false positives for a noisy detection that flags a common administrative script as malicious across 80% of endpoints. Give a short example for each technique (e.g., allowlisting, context-aware exclusions, temporal thresholds, process ancestry checks, enrichment-based scope narrowing).
MITRE ATTACK FrameworkEasyTechnical
19 practiced
Create a detection hypothesis for persistence via scheduled tasks on Windows. Include: observable event types, minimum required telemetry fields, suggested detection logic (high-level or pseudocode), and a plan to tune the rule to reduce false positives in a corporate environment.
Security Monitoring and Threat DetectionMediumTechnical
71 practiced
Explain how you would design anomaly detection thresholds for a KPI like 'failed logins per user per hour' using statistical techniques. Compare using z-score thresholds (number of standard deviations) versus EWMA (exponentially weighted moving average), discuss seasonality handling, sensitivity to spikes, and how to set/update parameters operationally.
Log Analysis and Threat Hunting in Security DataHardTechnical
79 practiced
Describe advanced techniques to detect covert command-and-control channels over HTTPS when payloads are encrypted. Focus on metadata-only signals: SNI anomalies, certificate fingerprint/issuer anomalies, unusual TLS versions/cipher suites, IP/ASN reputation, timing/beaconing patterns, and DNS/TLS fingerprint correlation. Explain how you'd turn these signals into reliable detections.
Security Incident Investigation and RemediationHardSystem Design
66 practiced
Design a tamper-evident logging architecture suitable for forensic investigations and legal evidence. Include: log collection pipeline, secure transport, immutable storage (WORM), integrity verification (e.g., chained hashes or Merkle trees), key management for signatures, and a strategy to scale for millions of events per day while preserving searchable indexes for investigators.
Cloud Security FundamentalsEasyTechnical
57 practiced
Explain the shared responsibility model in cloud computing. For each service model (IaaS, PaaS, SaaS) describe which security controls are typically the provider's responsibility and which are the customer's. Provide concrete examples (for example, EC2, RDS, and Gmail), describe a couple of common gray-area responsibilities, and explain how you would document responsibility boundaries for a new cloud service onboarding.
Detection, Monitoring, and Incident Response CapabilitiesHardTechnical
49 practiced
Create a Sigma detection rule (or equivalent structured pseudocode) that correlates three events on the same host within a 15-minute window: suspicious PowerShell parent-child process chains (e.g., powershell -> encoded command), unusual outbound DNS TXT requests, and creation of scheduled tasks. Explain chosen fields, correlation window, and how to reduce false positives.
Alert Tuning and Detection EngineeringMediumTechnical
44 practiced
Compare real-time streaming detections and scheduled batch detections in a hybrid cloud environment. Discuss differences in detection latency, resource consumption, stateful correlation complexity, windowing semantics, and typical use-cases where each approach is preferable (e.g., immediate lateral movement alerts vs complex long-window analytics).
MITRE ATTACK FrameworkHardTechnical
25 practiced
You are given a complex APT timeline (condensed): 1) Spearphish macro launches mshta; 2) Base64 PowerShell downloads payload; 3) procdump.exe is run targeting lsass; 4) SMB connections to other hosts with admin$ access; 5) Files archived and SCP'd to external IP; 6) Scheduled task created to persist. Map each step to ATT&CK techniques/sub-techniques (include likely IDs), assign confidence levels (high/medium/low) with justification, propose immediate IR steps, and identify telemetry gaps.

Want to create your own tailored preparation guide using our deep research?

Get Started for Free

Interview-Ready Courses

Visual-first, interactive, structured learning paths

Browse Information Security Analyst jobs

AI-enriched listings across hundreds of company career pages

Explore Jobs