ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An e-commerce company stores customers' profile photos and government ID scans in a private Amazon S3 bucket. To comply with data privacy principles of confidentiality and least-privilege access, only a dedicated fraud-analysis application should be able to read the objects, and the security team needs a central record of every object-level access. Which solution best meets these requirements while adding the least operational overhead?
Archive the objects to Amazon S3 Glacier Deep Archive with vault lock, grant the fraud-analysis application full S3 access through an IAM user, and rely on CloudWatch metrics to track retrievals.
Enable server-side encryption with AWS KMS (SSE-KMS) on the bucket, apply a bucket policy that allows only the fraud-analysis IAM role to perform GetObject, and turn on AWS CloudTrail data events for the bucket to log every object-level access.
Migrate the images to an encrypted Amazon EBS volume attached to the fraud-analysis EC2 instance and capture VPC Flow Logs for the subnet to monitor access attempts.
Create an S3 VPC gateway endpoint, block public access on the bucket, control traffic with network ACLs, and enable S3 server access logging for auditing.
Using server-side encryption with AWS KMS protects the objects at rest and satisfies the confidentiality requirement without changing application code. A resource-based S3 bucket policy that grants GetObject permissions solely to the fraud-analysis application's IAM role enforces least-privilege access. Enabling AWS CloudTrail data events for the bucket records every object-level API call (such as GetObject, PutObject, DeleteObject) in a central audit trail that the security team can query. The other options either do not provide object-level auditing (VPC Flow Logs, CloudWatch metrics), grant broader access than necessary, fail to encrypt data at rest, or introduce higher operational overhead (managing EBS volumes or Glacier workflows), so they do not meet all stated privacy requirements as effectively.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and how does it ensure data encryption?
Open an interactive chat with Bash
What are AWS CloudTrail data events, and why are they useful for object-level auditing?
Open an interactive chat with Bash
What is a bucket policy in Amazon S3, and how does it enforce least-privilege access?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .