ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A fintech startup on AWS has a Lambda function that submits JSON trade orders over TLS to an internal REST API behind an Application Load Balancer. Regulators require each order to be tamper-evident and ensure the caller cannot later deny sending it. The team needs a low-maintenance solution that avoids running its own certificate authority. Which approach best satisfies the non-repudiation requirement for every order?
Compute an HMAC-SHA256 over each order using a secret in AWS Secrets Manager; have the API verify the HMAC with the same key.
Add a CRC32 checksum header to each request and validate it in the API before processing the order.
Invoke the AWS KMS Sign API with an asymmetric key to create an RSA digital signature of each payload, and let the API verify it using the public key.
Enable CloudTrail data events for the API and store the logs in an S3 bucket with Object Lock to create immutable evidence of every call.
Non-repudiation demands a cryptographic control that proves only one specific entity could have created the message. An asymmetric digital signature fulfils this because only the private-key holder can produce the signature, while anyone with the public key can verify it. Using an AWS KMS asymmetric key for signing keeps the private key inside KMS and eliminates the need to operate a separate CA, satisfying both operational-overhead and non-repudiation requirements.
An HMAC uses a shared secret known to both parties, so either could forge the tag and later deny authorship. CloudTrail with S3 Object Lock secures log files after the fact but does not sign each message. A CRC32 checksum detects accidental errors but provides no authentication or non-repudiation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is non-repudiation in the context of cybersecurity?
Open an interactive chat with Bash
How do asymmetric digital signatures work and why are they suitable for non-repudiation?
Open an interactive chat with Bash
What is the role of AWS KMS in creating and managing digital signatures?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .