ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company deploys AWS Lambda functions through a CI/CD pipeline that uploads ZIP deployment packages to an Amazon S3 bucket. The security policy states that only code whose integrity is cryptographically verified can be deployed and that any tampering with the package in transit or at rest must be automatically blocked-without the team operating additional servers or writing custom verification scripts. Which solution best meets these requirements?
Configure S3 Object Lock in Compliance mode to prevent any overwrites or deletions of uploaded deployment packages.
Enable server-side encryption with AWS KMS (SSE-KMS) on the S3 bucket and rely on S3's built-in checksum verification to detect object tampering.
Store a SHA-256 checksum of each package in S3 object metadata and update the deployment script to compare the checksum before publishing the function.
Digitally sign each deployment package with AWS Signer and associate the Lambda function with a code signing configuration that enforces signature validation.
Attaching a code-signing configuration to the Lambda function and signing each deployment package with AWS Signer fulfills the policy. AWS Signer hashes the entire ZIP file, creates a digital signature with the signing profile's private key, and stores that signature with the package. When the package is deployed, Lambda automatically verifies the signature against the trusted signing profile specified in the code-signing configuration and rejects the deployment if validation fails, satisfying the requirement to block tampered code without extra infrastructure or scripts.
Enabling SSE-KMS on the S3 bucket does provide cryptographic integrity for objects while they are stored and detects corruption of the encrypted data, but it does not prove the code originated from an authorized source or prevent an attacker with upload permissions from replacing the object with a different, freshly encrypted file-so Lambda would still accept malicious code. S3 Object Lock prevents overwrites and deletions but lacks any cryptographic assurance of code authenticity. Storing checksums in custom metadata could detect tampering, but you would need to build and operate scripts to calculate, store, and verify the hashes, contrary to the requirement to avoid custom tooling.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Signer, and how does it ensure code integrity?
Open an interactive chat with Bash
What is the difference between SSE-KMS and code signing for ensuring security?
Open an interactive chat with Bash
What is a code signing configuration in AWS Lambda?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .