ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your DevOps team stores startup scripts in an Amazon S3 bucket and distributes them to hundreds of new EC2 instances at launch. To guarantee the scripts are genuine without deploying a full certificate authority, the team uses GNU Privacy Guard (GPG) and a Web-of-Trust model. A new engineer has just published her GPG public key. Which action must each EC2 instance (or its configuration management process) perform so the instances can verify the engineer's future script signatures under the existing trust model?
Request a commercially issued X.509 certificate for the engineer's key and distribute the certificate chain to all EC2 instances.
Upload the engineer's public key to AWS Certificate Manager and reference it in the S3 bucket policy so instances inherit trust automatically.
Import the engineer's public key to each instance and sign it with an already-trusted operations key to extend trust through the Web-of-Trust.
Store the engineer's private key in AWS Secrets Manager and allow EC2 instances to retrieve it through an IAM role at launch.
In a GPG Web-of-Trust, keys become trusted when other already-trusted users certify them. Each EC2 instance (or more practically, the configuration management process that runs during bootstrap) must import the new engineer's public key and then apply a local signature from a key that the instance already trusts-typically the operations team's master signing key. This establishes transitive trust, enabling the instance to validate any scripts the engineer signs.
Adding the key to AWS Certificate Manager or obtaining an X.509 certificate would shift to a hierarchical PKI rather than the decentralized Web-of-Trust model. Storing the private key in Secrets Manager would violate key-management best practices and is unnecessary for signature verification. Simply distributing the public key without signing it does not confer trust; the instance would still treat the key as unknown and refuse to trust the signatures.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the GPG Web-of-Trust model?
Open an interactive chat with Bash
Why is it important to sign a public key with an already-trusted key in GPG?
Open an interactive chat with Bash
Why can't AWS Certificate Manager or X.509 certificates replace the Web-of-Trust model in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .