ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
While auditing an AWS workload, you learn that an Application Load Balancer (ALB) uses an SSL/TLS certificate whose private key was accidentally committed to a public Git repository. The issuing public CA has already revoked the certificate, breaking client connections. To avoid similar key-management lapses and minimize future renewal effort, which remediation best aligns with AWS and PKI best practices?
Move the existing private key into AWS Secrets Manager encrypted with a customer-managed KMS key and load it to the ALB at deployment time
Replace the compromised certificate with a standard (non-exportable) ACM-issued public certificate and attach it to the ALB so that ACM manages the private key and performs automatic renewals
Disable HTTPS on the ALB and require applications to use CloudFront signed URLs for confidentiality instead
Simply enable OCSP stapling on the ALB so clients will no longer reject the revoked certificate
The most secure course is to stop managing the certificate and key material yourself and instead request a standard (non-exportable) public certificate from AWS Certificate Manager (ACM) and attach it to the ALB. With this approach, ACM generates and stores the private key entirely within AWS and, unless the optional exportable setting is chosen, the key cannot be extracted-greatly reducing the chance of accidental disclosure. ACM also handles automatic renewal as long as the certificate remains in use. Storing the existing key in Secrets Manager would still leave it retrievable and would not automate renewal. OCSP stapling only improves revocation-status performance and does not address key compromise. Replacing HTTPS with CloudFront signed URLs would remove transport-layer encryption and violate security best practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Certificate Manager (ACM)?
Open an interactive chat with Bash
How does automatic certificate renewal in ACM work?
Open an interactive chat with Bash
What is OCSP stapling, and why doesn't it address key compromise?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .