ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A health-tech startup stores daily medical images in an Amazon S3 bucket and processes them with an Amazon EMR cluster. Regulations stipulate that encryption keys must remain under the organization's exclusive control, yet the team wants to avoid adding client-side encryption overhead that could slow the nightly EMR jobs. Which solution best preserves data confidentiality while meeting the operational goal?
Perform client-side encryption with the AWS Encryption SDK using a 4096-bit RSA key stored in the company's on-premises HSM before uploading to S3.
Enable S3 server-side encryption using S3-managed keys (SSE-S3) and process objects unencrypted in EMR.
Configure S3 default encryption with a customer-managed AWS KMS key created in the AWS account.
Use S3 server-side encryption with customer-provided keys (SSE-C), supplying the symmetric key from the company's on-premises HSM for every upload and download.
Server-side encryption with customer-provided keys (SSE-C) meets both requirements. S3 performs the encryption and decryption on the server side using an AES-256 key that the customer supplies with each request; AWS never stores this key, so the organization retains sole control. Because the cryptographic operations occur within S3, EMR jobs access data at normal S3 performance without the extra latency or code changes associated with client-side encryption.
SSE-S3 and SSE-KMS off-load key management to AWSâmanaged or AWS KMS keys, so the organization would not retain exclusive control of the key material. Client-side encryption with an on-premises RSA key keeps keys internal but shifts all cryptographic processing to the application and adds significant overhead, contradicting the desire to minimize performance impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SSE-C (Server-Side Encryption with Customer-Provided Keys)?
Open an interactive chat with Bash
How does SSE-C ensure compliance with encryption key control regulations?
Open an interactive chat with Bash
Why is client-side encryption less suitable in this scenario compared to SSE-C?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .