AWS Certified Security – Specialty (SCS-C03) — Question 9

A security engineer discovers that a company’s user passwords have no required minimum length. The company is using the following two identity providers (IdPs):
AWS Identity and Access Management (IAM) federated with on-premises Active Directory
Amazon Cognito user pools that contain the user database for an AWS Cloud application that the company developed
Which combination of actions should the security engineer take to implement a required minimum length for the passwords? (Choose two.)

Answer options

• A. Update the password length policy in the IAM configuration.
• B. Update the password length policy in the Cognito configuration.
• C. Update the password length policy in the on-premises Active Directory configuration
• D. Create an SCP in AWS Organizations. Configure the SCP to enforce a minimum password length for IAM and Cognito.
• E. Create an IAM policy that includes a condition for minimum password length. Enforce the policy for IAM and Cognito.

Correct answer: B, C

Explanation

The correct actions are to modify the password length policy in the Cognito configuration (B) and the on-premises Active Directory configuration (C) because these are the systems directly managing user authentication. Options A, D, and E are incorrect as they do not directly apply to enforcing minimum password length for both IdPs involved in the user management process.