ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization is migrating an on-premises HR application that stores sensitive employee PII to Amazon S3. To meet PCI-DSS requirements, the data must be encrypted at rest, encryption keys must be managed separately from the data, and operations staff want to avoid running their own key infrastructure. Which approach best satisfies these confidentiality requirements while minimizing operational overhead?
Configure server-side encryption with AWS Key Management Service keys (SSE-KMS) and attach a bucket policy that requires all uploads to specify the KMS key.
Require client-side encryption using customer-provided keys stored in an on-premises hardware security module (HSM) before uploading each object to S3.
Migrate the data to encrypted Amazon EBS volumes attached to an EC2 instance and expose the files through an SFTP server.
Enable server-side encryption with Amazon S3 managed keys (SSE-S3) on the bucket that stores the HR data.
Server-side encryption with AWS KMS-managed CMKs (SSE-KMS) encrypts each object with a unique data key and protects that key with a master key stored in AWS Key Management Service. KMS provides centralized key management, automatic key rotation, fine-grained IAM and key policies, and CloudTrail logging-meeting PCI-DSS expectations that encryption keys be managed and audited separately from the data they protect. SSE-S3 also encrypts data at rest but does not give the organization independent control over keys or audit trails. Client-side encryption with on-premises keys meets separation requirements but adds significant operational burden for key storage, rotation, and secure upload logic. Encrypting EBS volumes on EC2 would not protect data once it is stored in S3. Therefore, enabling SSE-KMS with a bucket policy that enforces its use is the most appropriate and low-maintenance solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SSE-KMS and how does it work?
Open an interactive chat with Bash
Why is SSE-S3 not sufficient to meet PCI-DSS requirements?
Open an interactive chat with Bash
What are the advantages of AWS KMS for encryption key management?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .