ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security analyst must design a process that allows an AWS Lambda function to verify, during nightly audits, that no Amazon S3 log objects have been altered since they were first stored. The solution must rely on comparing a single, fixed-length value for each object, regardless of whether the log file is 10 KB or 10 GB. Which approach best satisfies this requirement?
Encrypt each log file with AES-256 in CBC mode and compare the resulting ciphertext to detect changes.
Compute a SHA-256 hash of each log file and store the resulting digest for later comparison.
Compress each log file with Gzip and use the checksum contained in the Gzip header for integrity checks.
Record the total number of bytes in each log file and verify that the size remains unchanged.
Cryptographic hash algorithms such as SHA-256 always produce a fixed-length 256-bit (32-byte) digest no matter how large or small the original input is. By computing the SHA-256 hash when the file is first stored and saving that value in a trusted location (for example, DynamoDB or AWS Secrets Manager), the Lambda audit function can later recompute the hash and compare the two digests. Any bit-level change in the object will generate a completely different digest, making unauthorized modifications easy to detect.
The other options do not meet the requirement:
Encrypting with AES-256 in CBC mode yields ciphertext whose length varies with the plaintext (it must be padded to block boundaries) and does not by itself provide an integrity check.
Recording only the file's byte count will not detect changes that keep the length the same.
Gzip compression produces outputs of variable length and its header checksum is not designed to be collision-resistant or tamper-evident.
Therefore, using a SHA-256 hash is the most appropriate method for generating a fixed-size data fingerprint suitable for integrity verification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is SHA-256 preferred for integrity verification?
Open an interactive chat with Bash
What is the difference between hashing and encryption?
Open an interactive chat with Bash
How does the SHA-256 algorithm handle large files efficiently?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .