I have given interviews to couple of Amazon L5 Security Engineer positions in India over the last year, couldnt get through both times, but im here if anyone wants any tips. Interviewers were across seattle/ireland/bangalore. #aws #securityengineer TC 55 Lakhs PA
@WFwz66 Round 1- This is a screener, interviewer was 25+ years experience, more than 10 in amazon What happens when you type amazon.com, you should be able to explain TCP handshake in detail , SYN flood and remediations were asked, ARP,DNS, DHCP, SSL handshake and SSL attacks (refer thomas pornin answer on stack exchange), etc as deep as possible. SAST vs DAST Explain SDLC - i explained threat modelling, shifting security left, security in CI/CD pipeline, etc Round 2(Screener) 1- situation you met a goal above and beyond - spoke about a tool i have written and got it deployed with hundreds of users per day 2-taken a decision without higher up approval, risk taking Scenario of mobile app , Web app and database 2 controls each to protect each level We did some detailed threat modelling here After Round 2(Screener)- They scheduled 5 rounds all video conferencing in a single day Final Round 1- Risk manager interviewing on Leadership principles - Failed this one Somehow got stuck failing to find right examples for these questions. When you had little data but yet had to deliver a project, how did you handle Explain a use case where you found multiple issues in a product in a single review, how did you assign risk to the issues found What risk frameworks do you use? Final Round 2- This was a Bar Raiser Round by a Senior Security Engineer - This went quite well How do you convince developers when they refuse to accept your security recommendations, how do you reach a common ground Some more leadership questions Final Round 3- Cloud Security basics and Network Security - I failed this one Usually they start from Basic and Drill as far as possible TCP/IP , UDP Differences in depth.Normal high level answers not enough. TCP handshake, SYN /ACK Flood attack remediations , they might ask you further questions and challenge your answers. You should be able to explain error detection and error corrections mechanisms etc for both. - I couldn’t remember these concepts in depth, this was the one that i failed at. MAC address- ARP in detail and ip address Detailed questions on DHCP, does static ip address require DHCP DDOS attack and remediations- L3, L4,L7, refer https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/ I explained how a CDN can absorb all the attacks before they reach target server.- Not sure if he was satisfied Questions on Cloud Security:- IAM policy differnces, why is IAM better - probably was looking for knowledge on STS Final Round 4 - Application Security - Aced this one Most of OWASP Top 10 and remediations couple of cases of threat modelling 1- case of an email exchange server 2- a simple chat app Couple of leadership principles- Anything you have done innovative recently, how do you keep urself updated. Final Round 5 - Hiring Manager - This one Went well Leadership Questions:- When was the last time you were asked to submit a project under tight deadlines.How did you manage. Suppose you have to attend to issue of CEO who got phished vs zero day in your product which is public. Result:- 5 interviews happened on Friday, they gave result on Monday Evening,quite fast Overall Positive but since i couldn’t clear Network Security competency , i was not selected.
I fokin love u
did u get an offer or something? anyways best of luck. atleast one person passed an internship interview
Amazon L5 security engineer in Seattle gets paid around 240k+ and could easily touch 300k. L6 ive heard 400+, but mostly it will be people with 15yr experience and above.
What’s your base and yoe ?
Base: 41 L Yoe: 10.5
was this for a product security role?
@op I’m planning to move from US to India. Can you give more insights on how the security market in India is? And salaries? I have 6 YOE in AppSec and pentesting.
Id say around 30-35 L for 6 yr experience you can try, there are quite a few openings, but due to covid, some are not going forward.
What strategy did you use to not get through ?
Well not having any network security experience is a sure way to NOT get through!
Thanks for the great write up, I haven’t seen anyone posting their interview experience especially in security. Can you suggest some resources on threat modeling?
@heeha definitely a good resource is adam shostacks threat modeling book. threat modeling is all about analysing from different perspectives , from the perspective of data, users, assets etc.
Thanks again for sharing your experience.
World Conflicts
Yesterday
1094
I am Columbia alumni
Tech Industry
12h
2660
Asians - what are your thoughts on asian female white male ?
Work Visa
8h
1824
How the f*ck did 450k c*nts apply for H-1B after so many layoffs?
Pets
Yesterday
880
Cat killed bird
Tech Industry
9h
413
Would you show promo on LinkedIn and resume?
Interviews are always around multiple competencies which the Hiring manager decides. Usually involve around Risk,Network Security, Application Security, Behavioral Questions on how to deal with developers on Security.
Can you give some example questions?