ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare startup is launching a patient portal on AWS. Patient registration records with names, birth dates, and Social Security numbers will be stored in an Amazon RDS for PostgreSQL DB. Regulations require the PII be encrypted at rest, encryption keys rotate automatically each year, and no application code changes are allowed. Which solution meets all requirements while keeping operational overhead low?
Enable Amazon RDS encryption at rest with an AWS KMS customer master key (CMK) and configure automatic annual key rotation.
Require SSL/TLS for all application connections to RDS and restrict public network access to the database subnet.
Attach encrypted Amazon EBS volumes to application servers and enable operating-system full-disk encryption instead of encrypting RDS.
Implement client-side field-level encryption of PII with RSA-2048 in the application and store the ciphertext in RDS.
Enabling Amazon RDS encryption at rest with an AWS Key Management Service (KMS) customer master key provides transparent, AES-256 disk-level encryption that is fully managed by AWS. Because encryption and decryption occur in the storage layer, the application continues to use the database exactly as before, so no code changes are needed. KMS can automatically rotate customer-managed keys on an annual schedule, meeting the regulatory key-rotation requirement with minimal administrative effort.
Client-side RSA encryption would meet confidentiality goals but requires significant code changes and manual key management. TLS protects data in transit, not at rest, so it does not fulfill the stated requirement. Full-disk encryption on application servers secures local storage, not the database storage managed by RDS, and it does not provide the required automated key rotation for the database's data files.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon RDS encryption at rest, and how does it work?
Open an interactive chat with Bash
What is AWS KMS, and how does it provide automatic key rotation?
Open an interactive chat with Bash
Why doesn’t enabling SSL/TLS meet the encryption at rest requirement?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .