A security engineer discovers that a company ' s user passwords have no required minimum...

The company uses two different identity systems, and password policy must be enforcedat the system that actually stores and manages the passwords. For users authenticating throughIAM federation with on-premises Active Directory, IAM is not storing the users’ passwords; the password policy is enforced byActive Directory. Therefore, the minimum password length must be configured in theon-premises AD password policyso federated users are subject to the requirement during password creation/changes.

For the cloud application that usesAmazon Cognito user poolsas its user database, Cognitodoesstore and manage user passwords for those users. Cognito user pools include a configurable password policy (minimum length and complexity requirements). Updating the Cognito user pool password policy enforces the required minimum length for the application’s users going forward.

Options D and E are not applicable. Service control policies (SCPs) restrict AWS API actions; they cannot enforce end-user password-length rules inside AD or Cognito. Similarly, IAM policies control authorization to AWS resources and APIs, not password complexity/length requirements across external IdPs or Cognito user databases. Updating IAM password policy (Option A) would apply only toIAM users(local users in AWS), which is not the authentication model described for the federated workforce.