ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare provider is migrating its on-premises patient-record system into AWS. The records will reside in a new Amazon RDS for PostgreSQL instance. Regulations require that all patient data be encrypted at rest with encryption keys rotated annually and centrally managed. The application team cannot modify the workload to handle encryption. Which solution BEST satisfies these security and operational requirements?
Run PostgreSQL on Amazon EC2 and use LUKS to encrypt the attached EBS volumes with self-managed keys.
Implement field-level client-side encryption in the application using the AWS Encryption SDK and store ciphertext in the database.
Rely on default Amazon EBS encryption for the RDS instance's underlying volumes after launch.
Enable encryption at rest on the RDS instance using an AWS KMS customer managed key, and turn on key rotation in KMS.
Enabling Amazon RDS encryption at rest with an AWS KMS customer managed key (CMK) meets the compliance mandate because encryption is handled transparently by the service, covering the database files, automated backups, snapshots, and logs without requiring application changes. Using a customer managed CMK allows the security team to enable automatic annual rotation in AWS KMS, satisfying the key-management requirement. Relying solely on default EBS encryption after the instance is launched is not supported for RDS and would not encrypt backups. Client-side field-level encryption would meet the security mandate but contradicts the requirement to avoid application changes. Running PostgreSQL on EC2 with LUKS shifts operational burden to the organization and requires self-managed keys, failing the "centrally managed" criterion.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and how does it manage encryption keys?
Open an interactive chat with Bash
Why is Amazon RDS encryption at rest preferred over EBS encryption?
Open an interactive chat with Bash
What are the benefits of using customer managed keys in AWS KMS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .