ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An organization is designing an AWS solution to archive several terabytes of sensitive log data in Amazon S3. The logs must be encrypted at rest, and decryption performance during periodic analytics jobs must have minimal CPU overhead. Key distribution will be handled separately through AWS KMS, which already stores an asymmetric key pair for exchanging data keys. Which cryptographic approach best meets the storage encryption requirement?
Encrypt each log file directly with an RSA-2048 public key and keep the private key in AWS KMS.
Use the RC4 stream cipher with a shared secret stored in AWS Secrets Manager to encrypt each object.
Apply an RSA-4096 digital signature to every object and rely on S3 Server-Side Encryption (SSE-S3) for confidentiality.
Encrypt each S3 object with AES-256 in CBC mode, generating a unique data key for every object.
For encrypting large data sets such as multi-terabyte log archives, a symmetric block cipher like AES is preferred. AES-256 in a mode such as CBC (or an authenticated mode like GCM) provides strong confidentiality with high performance because encryption and decryption operations are computationally efficient and can leverage hardware acceleration (for example, AES-NI). Encrypting the bulk data directly with RSA is impractical; asymmetric algorithms are orders of magnitude slower and are normally limited to encrypting only small amounts of data (typically a data-encryption key, not gigabytes of content). Simply signing the objects offers integrity and non-repudiation but does not encrypt the data, and relying on deprecated ciphers such as RC4 would violate current security best practices. Therefore, using AES-256 with a unique data key for each object is the correct and most efficient choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is AES-256 in CBC mode recommended for encrypting large data sets in this scenario?
Open an interactive chat with Bash
Why is RSA not suitable for encrypting multi-terabyte data in the given scenario?
Open an interactive chat with Bash
What are the main reasons for avoiding outdated ciphers like RC4?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .