ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An online payment processor runs a serverless data analytics pipeline on AWS. Developers commit code to AWS CodeCommit, and AWS CodePipeline builds and deploys the artifacts to production. To limit insider fraud, the CISO mandates that no single engineer must be able to both modify source code and promote it to production. Which approach best enforces segregation of duties in this environment?
Create separate IAM roles so developers can only commit to CodeCommit, require an MFA-protected operations role to approve a manual approval stage in CodePipeline before production deployment, and log all actions with CloudTrail.
Enable AWS Config rules and GuardDuty to detect and automatically roll back unauthorized Lambda function changes after deployment.
Grant developers permissions to push to CodeCommit and also to release changes through CodePipeline once a peer code review is completed.
Use a single DevOps IAM role that combines development and deployment permissions but rely on CloudTrail and GuardDuty for post-deployment investigation.
Segregation of duties requires splitting critical tasks so one person cannot complete an entire sensitive workflow alone. Giving developers both commit and deploy permissions or using a single DevOps role violates this principle. Relying only on detective controls such as Config or GuardDuty does not stop an engineer from unilaterally deploying malicious code. Creating distinct IAM roles-developers restricted to source-code repositories and an operations role (protected with MFA) that must execute a manual approval action in CodePipeline-prevents any single individual from both altering code and releasing it. CloudTrail auditing further supports accountability without merging duties.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is segregation of duties in cybersecurity?
Open an interactive chat with Bash
What is the role of AWS CodePipeline in enforcing security?
Open an interactive chat with Bash
How does AWS CloudTrail support accountability?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .