ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
As part of migrating a three-tier application to AWS, your security team mandates a zero trust approach for all east-west traffic. Microservices in an Amazon EKS cluster will call legacy services over an AWS Site-to-Site VPN to the on-prem data center. Which solution best meets zero trust principles while keeping operational overhead low?
Deploy a stateful firewall in front of the VPN termination and create rules for each required application port.
Enforce mutual TLS between EKS pods and on-prem APIs using certificates issued by a private PKI integrated with AWS Private CA.
Restrict VPC CIDR blocks using network ACLs and allow traffic only from the on-prem IP range.
Use a single shared IAM role assumed by all microservices to authenticate to on-prem services via Kerberos.
Zero trust assumes no implicit trust based on network location, so each request must be strongly authenticated and authorized. Mutual TLS provides per-session, cryptographically strong authentication of both client and server, enabling least-privilege policies based on workload identity instead of IP reachability. Issuing and rotating certificates automatically from an internal PKI-such as AWS Private CA-minimizes ongoing administrative effort. Relying only on network ACLs or perimeter firewalls continues to trust the network and does not verify workload identity. Sharing a single IAM role provides weak, coarse-grained identity and violates the zero trust goal of fine-grained authentication for every service.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Mutual TLS and how does it work?
Open an interactive chat with Bash
What is AWS Private CA and why is it used for mutual TLS?
Open an interactive chat with Bash
How does zero trust differ from traditional network security models?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .