ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare startup hosts a web application on AWS that lets patients upload medical records to an Amazon S3 bucket. To satisfy HIPAA's mandate to prevent unauthorized disclosure of Protected Health Information (PHI) and to detect any later tampering with stored objects, the team wants a solution that requires minimal ongoing key or infrastructure management. Which approach best meets these requirements?
Use client-side RSA encryption for every file and rely on the ETag value returned by S3 uploads as proof of file integrity.
Encrypt each file locally with AES-256 using a shared secret key and upload it to an S3 bucket that has a public-read ACL to simplify access controls.
Enable S3 Server-Side Encryption with AWS KMS (SSE-KMS) and require each upload to include an SHA-256 checksum stored in object metadata for later verification.
Store the files unencrypted in S3 but enable bucket versioning and AWS CloudTrail data events to detect any unwanted changes.
Server-side encryption with AWS KMS ensures confidentiality because Amazon S3 automatically encrypts each object at rest with an AWS-managed customer master key, removing the need for the team to manage encryption processes or keys. Requiring clients to calculate and send an SHA-256 checksum with each PUT request, and storing that checksum in the object's metadata, allows the application to recalculate and compare the hash whenever the object is retrieved, providing a reliable means to detect any unauthorized modification. The bucket remains private by default, further protecting PHI. Making the bucket public would violate confidentiality, so the shared-secret option is unsuitable. Relying only on versioning and CloudTrail leaves data unencrypted, breaching HIPAA requirements. Using client-side RSA encryption shifts key-management overhead to the startup and ETag values cannot be trusted for integrity on multipart uploads. Therefore, enabling SSE-KMS plus SHA-256 checksums is the only option that delivers both confidentiality and integrity with low operational burden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS (Key Management Service) and how does it relate to SSE-KMS?
Open an interactive chat with Bash
Why is the SHA-256 checksum important for detecting tampering in S3 objects?
Open an interactive chat with Bash
How does HIPAA impact data security requirements for storing Protected Health Information (PHI)?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .