ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your security team needs cryptographic assurance that 100 GB database backup files copied nightly from on-premises storage to an Amazon S3 bucket have not been altered in transit or while stored. They must also be able to programmatically re-verify each object's integrity before a restore operation without decrypting the data. Which approach provides this capability with the least operational overhead?
Maintain an external manifest of object names and sizes in the AWS Glue Data Catalog and compare the manifest before every restore.
Enable server-side encryption with customer-provided keys (SSE-C) so that S3 validates the MD5 digest of the encryption key during both upload and download operations.
Use AWS Backup to copy the S3 bucket to another Region with Object Lock enabled, relying on immutability to guarantee integrity of the backup data.
Have the backup workflow calculate a SHA-256 checksum for each file and include it in the x-amz-checksum-sha256 header (or set ChecksumAlgorithm=SHA-256) when uploading, allowing Amazon S3 to verify the checksum on upload, store it as metadata, and return it in response headers for client-side integrity re-checks.
Including a pre-calculated SHA-256 checksum in the x-amz-checksum-sha256 header (or specifying ChecksumAlgorithm=SHA-256) when uploading each object lets Amazon S3 compare the client-supplied checksum with the one it computes server-side; the upload is rejected if they differ. S3 then stores the verified checksum as object metadata and returns it in the x-amz-checksum-sha256 response header for subsequent GET or HEAD requests, so clients can recompute the checksum locally and confirm the object has not changed-without needing to decrypt the data. SSE-C validates only the MD5 of the encryption key, not the object data, and requires providing the key to re-verify. An external manifest in AWS Glue or relying solely on AWS Backup with Object Lock would add operational complexity and still require separate integrity checks. Therefore, using S3's native SHA-256 checksum capability is the simplest and most effective solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the SHA-256 checksum and how does it work?
Open an interactive chat with Bash
How does Amazon S3 use x-amz-checksum-sha256 headers during file uploads?
Open an interactive chat with Bash
Why is the SHA-256 checksum method better than other options like SSE-C or AWS Backup Object Lock for integrity checks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .