ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A financial services company is refactoring its monolithic on-premises application into microservices hosted in separate AWS accounts. To comply with internal security policy, every REST API call exchanged between the services must use strong, certificate-based mutual authentication and encrypted transport, while keeping operational overhead to a minimum. Which solution best meets these requirements?
Attach API keys to each request, store shared HMAC secrets in AWS Secrets Manager, and validate signatures with a Lambda authorizer.
Restrict traffic to VPC endpoints using network ACLs and Security Groups, and use VPC Flow Logs to verify request origin.
Enable mutual TLS on Amazon API Gateway and issue a unique client certificate from AWS Private Certificate Authority to each microservice so that every call is authenticated during the TLS handshake.
Require callers to include Amazon Cognito JWT access tokens in the Authorization header and rely on token signatures for authentication.
Amazon API Gateway's native mutual TLS capability can be enabled on a custom domain so that each calling microservice must present an X.509 certificate signed by a trusted private certificate authority. Using AWS Private CA to issue and rotate a unique certificate for each microservice allows fine-grained identification of callers. API Gateway performs the TLS handshake and certificate verification automatically, eliminating the need to develop and maintain custom Lambda authorizers. In contrast, an HMAC scheme with shared secrets stored in Secrets Manager provides integrity and basic authentication but lacks certificate-based mutual authentication. Cognito JWT access tokens are signed by the identity provider, not the microservice, and do not establish a mutually authenticated TLS channel. Network ACLs and VPC Flow Logs can restrict or record traffic but offer no cryptographic client authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is mutual TLS, and why is it important?
Open an interactive chat with Bash
What is AWS Private Certificate Authority (CA), and how does it work?
Open an interactive chat with Bash
What are the advantages of using Amazon API Gateway for mutual TLS in microservices architecture?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .