ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare firm runs a legacy clinical application on Amazon EC2 that only supports TLS 1.0. Corporate policy mandates that all external connections use TLS 1.2 or newer. Because the vendor patch will not arrive before the upcoming compliance audit, the security engineer must implement a compensating control. Which solution best meets the requirement while allowing the application to remain unchanged?
Deploy AWS Network Firewall ahead of the instance and create a rule that drops any packets not using TLS 1.2.
Place an Application Load Balancer in front of the instance, enforce a TLS 1.2-only security policy on the listener, and re-encrypt traffic to the backend with TLS 1.0.
Enable EBS encryption on the instance's volumes and rotate the KMS key monthly to satisfy encryption requirements.
Apply an IAM policy that blocks the legacy instance from initiating outbound network connections except to its database.
A compensating control provides an alternative safeguard when the preferred control (upgrading the application to support TLS 1.2) is not immediately feasible. Terminating incoming sessions on an Application Load Balancer that is configured with a TLS 1.2-only security policy ensures every client negotiates the required protocol. The load balancer can then re-encrypt traffic to the backend with TLS 1.0, allowing the legacy application to operate unchanged while satisfying the policy for external connections.
AWS Network Firewall cannot reliably drop traffic based on the negotiated TLS version because the TLS handshake is encrypted after the ClientHello, and version filtering is not a supported feature. Encrypting EBS volumes protects data at rest and does nothing for in-transit requirements. Restricting the instance's outbound access addresses egress control, not the mandated minimum TLS version for inbound client sessions. Therefore, using an Application Load Balancer for TLS 1.2 termination is the appropriate compensating control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is TLS and why is it important?
Open an interactive chat with Bash
How does an Application Load Balancer (ALB) enforce TLS policies?
Open an interactive chat with Bash
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .