ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your company stores sensitive health records in a public cloud object storage bucket. Compliance rules require: 1) the firm must generate and retain exclusive control of encryption keys, 2) administrators must be able to revoke data access immediately without re-encrypting the objects, and 3) all key usage must be auditable through API logs. Which data-at-rest protection approach in the cloud best satisfies these requirements?
Enable the storage service's default server-side encryption that uses provider-managed keys.
Perform client-side AES-256 encryption of every object and store the keys on each end-user workstation.
Use the cloud provider's key management service with a customer-managed master key imported via BYOK and let the storage service perform server-side envelope encryption.
Hash each health record with SHA-256 before uploading it to the bucket.
Using a customer-managed key that is imported (BYOK) into the provider's key management service meets all stated controls. The organization generates the root key material on-premises, imports it as a customer master key, and the storage service performs server-side envelope encryption with data keys derived from that CMK. Because the CMK resides in the KMS, administrators can disable or schedule deletion of the CMK, which immediately blocks any new decrypt operations without the need to re-encrypt the data already stored. Every call to use the CMK is recorded in the KMS audit log, providing the required accountability. Provider-managed keys do not give exclusive control, client-side encryption leaves keys scattered on endpoints and lacks centralized revocation, and hashing the files is not reversible and therefore cannot satisfy decryption or key management requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BYOK in cloud security?
Open an interactive chat with Bash
What is server-side envelope encryption?
Open an interactive chat with Bash
How do audit logs in a KMS ensure compliance?
Open an interactive chat with Bash
What is BYOK in cloud encryption?
Open an interactive chat with Bash
How does server-side envelope encryption work?
Open an interactive chat with Bash
Why is auditing key usage important for sensitive data?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .