ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A payments microservice hosted on AWS Lambda must call a private REST API published through Amazon API Gateway. Security requirements state that the API must be able to (1) confirm that each request really originated from an authorized Lambda function and (2) ensure the calling function cannot later deny having sent a specific payment instruction. Which approach BEST meets both requirements with minimal operational overhead?
Enable mutual TLS between the Lambda function and API Gateway and restrict the API to the Lambda's VPC CIDR range.
Include an HMAC of the request body in a custom HTTP header, using a shared secret retrieved at runtime from AWS Secrets Manager.
Require the Lambda to present an API key generated by API Gateway in each request and rotate the key every 30 days.
Have the Lambda function call AWS KMS Sign with its own RSA private key to create a digital signature over each request payload and send the signature along; the API verifies the signature with the corresponding public key.
Digital signatures generated with a private key and verified with the corresponding public key provide data integrity, authenticate the signer, and uniquely bind the signer to the message, enabling non-repudiation because only the holder of the private key could have created the signature. Using an asymmetric KMS key keeps the private portion protected while exposing the public key to the API for verification.
A keyed-hash message authentication code (HMAC) supplies integrity and authenticity, but since both parties share the same secret, either could have generated the MAC, so non-repudiation is not achieved. Mutual TLS validates the communicating parties but cannot irrefutably prove who generated a specific request once the session ends. API keys are identifiers that can be shared or stolen and therefore do not provide cryptographic integrity or non-repudiation. Hence, signing each request with an asymmetric private key managed by AWS KMS is the only option that fulfills both authenticity and non-repudiation while keeping operational overhead low.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does AWS KMS ensure secure key management for digital signatures?
Open an interactive chat with Bash
What is non-repudiation, and why is it important for secure API communication?
Open an interactive chat with Bash
What makes asymmetric cryptography preferable to HMAC for non-repudiation?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .