ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company ingests 5 GB of sensitive customer telemetry each hour from on-premises servers to an Amazon S3 data lake. Analysis jobs on multiple Amazon EC2 instances must later download and decrypt the objects. Management requires strong confidentiality while minimizing CPU overhead during both upload and processing. Which approach best satisfies these requirements?
Hash each file with SHA-256 and upload both the hash and the plaintext file to S3 for later integrity checks.
Attach an ECDSA digital signature to every file and store the file unencrypted in S3, relying on the signature for protection.
Call AWS KMS GenerateDataKey for each upload, encrypt the file client-side with AES-256-GCM, and store the KMS-encrypted data key with the object so authorized EC2 instances can decrypt and use it.
Encrypt each file with a unique RSA-4096 public key for every EC2 instance before uploading to S3.
Using client-side AES-256 in GCM mode provides authenticated encryption that is hardware-accelerated on modern CPUs, keeping per-byte overhead low. With AWS KMS, each uploader calls GenerateDataKey to obtain a unique 256-bit data key, encrypts the file with that key, and then stores the encrypted copy of the data key (returned by KMS) alongside the object. During download, an authorized EC2 instance passes the encrypted key to the KMS Decrypt API to get the plaintext key and decrypts the file, meeting the confidentiality requirement with minimal CPU cost. Encrypting multi-gigabyte files directly with RSA-4096 is computationally prohibitive, while hashing or merely signing the plaintext provides integrity or authenticity but no confidentiality.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-256-GCM and why is it used in this scenario?
Open an interactive chat with Bash
What is AWS KMS and how does GenerateDataKey function in this context?
Open an interactive chat with Bash
Why isn't RSA-4096 suitable for encrypting multi-gigabyte files?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .