ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare provider is deploying a serverless application on AWS that receives patients' vital-sign data from mobile devices, stores the records in Amazon S3, and invokes AWS Lambda functions for analytics. To comply with HIPAA, the team must minimize exposure of raw PHI, ensure encryption in transit and at rest, and use keys that rotate automatically. Which approach best meets these requirements?
Encrypt data in the mobile app with a hard-coded AES key before upload, disable encryption in Amazon S3, and transmit over HTTPS.
Require TLS 1.2 for all API requests, configure Amazon S3 server-side encryption with S3-managed AES-256 keys (SSE-S3), and rely on Amazon's default key rotation.
Enable mutual TLS on Amazon API Gateway, accept only client-authenticated sessions, decrypt the payload in AWS Lambda, then store it in Amazon S3 encrypted with a customer-managed AWS KMS key that has automatic rotation enabled.
Send data over an IPsec VPN without TLS, store records in Amazon S3 Glacier Deep Archive without encryption, and restrict access using bucket policies only.
Mutual TLS at Amazon API Gateway authenticates each calling device and encrypts the session, providing strong protection for PHI in transit. Decrypting the payload only inside a private Lambda function and immediately re-encrypting it with a customer-managed AWS KMS key (SSE-KMS) limits plaintext exposure to trusted code while giving the organization control over the key, detailed CloudTrail logging, and the ability to enable automatic annual key rotation. The other options fail to meet one or more requirements: relying on SSE-S3 does not give customer key control, hard-coding client-side keys impedes secure rotation, and using an IPsec VPN without TLS or encryption at rest would violate HIPAA safeguards.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Lambda and how does it enhance serverless applications?
Open an interactive chat with Bash
How does AWS KMS key rotation ensure data security?
Open an interactive chat with Bash
Why is mutual TLS important for protecting PHI in transit?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .