ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An online insurance startup stores policyholder passport images in an Amazon S3 bucket. Regulations require that all PII be encrypted at rest with customer-controlled keys whose use can be audited, and that every upload or download occurs over encrypted channels. Operations prefers the lowest-maintenance AWS-managed approach. Which solution best meets these compliance and operational requirements?
Configure S3 default encryption with AWS KMS using a customer-managed CMK and enforce HTTPS-only access with a bucket policy.
Implement client-side encryption in the application, store the key in application code, and use service control policies to block non-HTTPS traffic.
Enable S3 server-side encryption with Amazon-managed keys (SSE-S3) and require HTTPS for all PUT and GET operations.
Move the images to an encrypted EBS volume attached to an EC2 SFTP server secured with SSH for uploads.
Using S3 default encryption with an AWS Key Management Service (KMS) customer-managed CMK encrypts every object at rest while giving the organization full control over the key lifecycle. Each use of the CMK is recorded in AWS CloudTrail, providing an auditable log to satisfy regulatory oversight. Enforcing HTTPS-only access in the bucket policy guarantees encryption in transit. SSE-S3 lacks customer key control and detailed key-use auditing. Client-side encryption with application-stored keys meets control requirements but imposes higher operational burden. Moving objects to encrypted EBS behind an EC2 SFTP server adds complexity and cost while abandoning S3's managed durability and scalability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and how does it support compliance requirements?
Open an interactive chat with Bash
Why is HTTPS-only access enforced in the bucket policy?
Open an interactive chat with Bash
What are the benefits of using S3 default encryption with AWS KMS over alternatives like client-side encryption?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .