ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare startup stores diagnostic images containing protected health information (PHI) in an Amazon S3 bucket that is accessed by a web application. Compliance staff require the data to remain confidential both in transit and at rest while operations teams want the simplest possible key-management workflow. Which approach best prevents unauthorized disclosure of the images and meets these requirements?
Rely solely on private-bucket permissions enforced by AWS Identity and Access Management (IAM).
Implement client-side encryption using a customer-managed KMS key and mandate TLS for uploads and downloads.
Configure server-side encryption with Amazon S3-managed AES-256 keys (SSE-S3) and require all application traffic to the bucket to use HTTPS.
Enable cross-region replication of the bucket to another AWS account to add an extra security layer.
Enabling server-side encryption with Amazon S3-managed keys (SSE-S3) causes S3 to encrypt every object automatically with the AES-256 cipher, providing data-at-rest protection without requiring the customer to create or rotate any keys. Adding a bucket policy that enforces HTTPS ensures all PUT and GET operations are protected by TLS, giving confidentiality in transit. Relying only on IAM permissions would not protect the data if the storage media were compromised or if plaintext HTTP were allowed. Client-side encryption with an AWS KMS customer-managed key also protects data, but it obliges developers to add encryption and decryption logic to the application and to manage the storage of encrypted data keys, making operations more complex than SSE-S3. Cross-region replication primarily improves durability and availability and does not itself prevent disclosure. Therefore, SSE-S3 combined with enforced HTTPS is the most secure and lowest-maintenance solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon S3 server-side encryption (SSE-S3)?
Open an interactive chat with Bash
Why is HTTPS required for protecting data in transit?
Open an interactive chat with Bash
How does SSE-S3 differ from customer-managed keys in AWS KMS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .