Over-Engineering — AWS Security Specialty (SCS-C03)

Whether to use AWS Fault Injection Service with native experiment templates and CloudTrail audit integration to drive IR plan validation, or build a custom Lambda plus EventBridge plus DynamoDB state-tracking harness that replicates the same fault-simulation capability at significantly higher operational complexity.

Which architecture satisfies both the 15-minute mean-time-to-respond SLA and the forensic evidence preservation requirement using the least custom state-management infrastructure?

Whether to orchestrate containment and evidence-collection as parallel managed states in Step Functions (correct) versus building equivalent logic inside a single Lambda function backed by a DynamoDB state table (over-engineered) or using a single SSM Automation document that executes steps sequentially (near-right, fails parallel-execution and audit-granularity constraints).

Whether to use IAM Identity Center as the managed workforce SSO orchestration layer (centralized MFA enforcement, AD sync, permission sets) or configure per-account SAML federation directly through STS (functionally valid but operationally over-engineered for this population and scale).

Whether to use IAM Identity Center with AD Connector as a managed multi-account workforce identity orchestration layer or manually configure per-account IAM SAML providers with STS AssumeRoleWithSAML federation—selecting the option that satisfies least-privilege credential vending while minimizing identity lifecycle operational burden at multi-account scale.

When authorization requires evaluating two independent dynamic user attributes (tenant identity and clearance level) per request without role proliferation, does IAM ABAC with resource-tag conditions or Amazon Verified Permissions Cedar policies better satisfy the least-privilege constraint — and which option over-engineers the authorization infrastructure?

Whether to deploy IAM Identity Center with the corporate OIDC provider as an external identity source—gaining managed MFA enforcement, centralized permission sets, and automatic multi-account propagation—or to federate through Amazon Cognito user pool federation feeding per-account STS AssumeRoleWithWebIdentity, which is technically functional but misclassifies the identity population and demands custom MFA orchestration and per-account role mapping.

When tenant isolation maps statically and exclusively to a resource-path prefix, STS AssumeRole with an inline session policy is the minimal sufficient control — it scopes the vended credential at assumption time, requires no tag governance pipeline, no additional service, and no role proliferation, directly satisfying least-privilege with the lowest operational overhead.

Choose Amazon Cognito Identity Pools as the managed credential broker over a custom Lambda token vending machine backed by raw STS AssumeRoleWithWebIdentity calls — because Cognito natively enforces TTL, handles token refresh, maps external identity to IAM role, and requires zero custom orchestration code, directly satisfying the no-custom-token-management constraint.

Whether to use IAM Identity Center native ABAC — propagating the IdP business-unit attribute as a principal tag and enforcing isolation via a single tag-condition permission set — or a custom Lambda-brokered STS AssumeRole pattern that generates per-business-unit inline session policies at query time.

Whether the stated FIPS 140-2 Level 2 HSM requirement and CloudTrail audit obligation for S3 encryption at rest is fully satisfied by a KMS customer-managed key with SSE-KMS, or whether it requires a dedicated CloudHSM cluster — with the correct answer hinging on the precision of 'Level 2' versus 'Level 3' in the compliance language.

Whether a KMS customer-managed key with S3 SSE-KMS plus S3 Object Lock in compliance mode fully satisfies the HIPAA encryption-at-rest and WORM retention requirements, or whether the phrase 'customer-managed key' triggers a CloudHSM hardware-custody architecture that over-engineers beyond the regulatory mandate.