AWS Certified Security – Specialty (SCS-C02) — Question 275

A security engineer discovers that a company’s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):
• AWS Identity and Access Management (IAM) federated with on-premises Active Directory
• Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed

Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Choose two.)

Answer options

• A. Update the password length policy in the IAM configuration.
• B. Update the password length policy in the Cognito configuration.
• C. Update the password length policy in the on-premises Active Directory configuration
• D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.
• E. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

Correct answer: B, C

Explanation

For federated users, authentication occurs at the identity provider level, meaning the password policy must be updated within the on-premises Active Directory. For the custom application users, password policies must be configured directly within the Amazon Cognito user pool settings. AWS Organizations SCPs and IAM policies are incapable of enforcing password complexity or length rules for external identity providers or Cognito user pools.