Free SCS-C03 Questions Attempt

The company uses two different identity systems, and password policy must be enforcedat the system that actually stores and manages the passwords. For users authenticating throughIAM federation with on-premises Active Directory, IAM is not storing the users’ passwords; the password policy is enforced byActive Directory. Therefore, the minimum password length must be configured in theon-premises AD password policyso federated users are subject to the requirement during password creation/changes.

For the cloud application that usesAmazon Cognito user poolsas its user database, Cognitodoesstore and manage user passwords for those users. Cognito user pools include a configurable password policy (minimum length and complexity requirements). Updating the Cognito user pool password policy enforces the required minimum length for the application’s users going forward.

Options D and E are not applicable. Service control policies (SCPs) restrict AWS API actions; they cannot enforce end-user password-length rules inside AD or Cognito. Similarly, IAM policies control authorization to AWS resources and APIs, not password complexity/length requirements across external IdPs or Cognito user databases. Updating IAM password policy (Option A) would apply only toIAM users(local users in AWS), which is not the authentication model described for the federated workforce.

The policy currently grants s3:GetObject but targets thebucket ARN(arn:aws:s3:::DOC-EXAMPLE-BUCKET). For Amazon S3, object-level actions such asGetObjectmust referenceobject ARNs, not the bucket ARN. The correct resource pattern is the bucket ARNwith /*appended (for example, arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) so the permission applies to objects within the bucket. Without this, S3 evaluates the request against a resource that does not match the requested object, resulting in an access denial even though the action appears correct.

The other options do not address the root cause. Expanding actions (Option B) is unnecessary and overly permissive, and it still would not fix the incorrect resource ARN for object reads. Changing principals or removing conditions (Option A) is not required just to allow reads—Lambda typically accesses S3 using the function’sexecution role, and bucket policies are commonly used for cross-account or service-based access control, but the immediate failure here is the mismatch between s3:GetObject and the bucket-only resource. Option D is invalid because it inverts principal/service usage and sets an incorrect resource type for S3 authorization.

Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.

AWS WAF cannot be directly associated with Cognito user pools.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Threat Protection

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config