ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs an accounting application on Amazon EC2 instances located in a private subnet. Each night the instances upload about 200 GB of financial archives to an Amazon S3 bucket that is owned by a different AWS account. The security team requires that any data in transit be encrypted, that the traffic remain on the AWS backbone rather than leave AWS infrastructure, and that the solution add as little cost and operational overhead as possible. Which approach best satisfies these requirements?
Upload the archives over HTTPS to the bucket's public S3 Regional endpoint and rely on server-side encryption with AWS KMS.
Order an AWS Direct Connect dedicated line with a private virtual interface and establish an IPsec VPN tunnel over it to reach the S3 bucket.
Create a gateway VPC endpoint for Amazon S3 in the application VPC, allow access in the bucket policy, and perform the uploads over HTTPS.
Send the archives to an SFTP server in a public subnet, then configure Amazon S3 Transfer Acceleration to pull the files into the destination bucket.
A gateway VPC endpoint for Amazon S3 adds a private target to the VPC route table so that traffic from the subnet to S3 stays entirely on the AWS network. When the application connects over HTTPS, TLS provides encryption in transit, meeting the security mandate without code changes. Gateway endpoints have no hourly cost and do not require a NAT gateway, Direct Connect circuit, VPN tunnel, or intermediary transfer server, keeping both cost and operational complexity low.
Uploading through the public S3 endpoint would also stay on the AWS backbone, but a private-subnet workload would need a NAT gateway or proxy, which adds recurring charges and management. Direct Connect with an IPsec VPN provides private, encrypted connectivity but is significantly more expensive and operationally intensive. Using an SFTP server plus S3 Transfer Acceleration introduces additional infrastructure, per-GB acceleration fees, and management overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a gateway VPC endpoint, and how does it work?
Open an interactive chat with Bash
Why does traffic stay on the AWS backbone when using a gateway endpoint?
Open an interactive chat with Bash
How does TLS encryption provide security during data transfer to Amazon S3?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .