ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your security team uses the AWS CLI to copy nightly financial reports from an encrypted S3 bucket to an external auditor's on-premises system. Policy requires the reports be encrypted so only the auditor can decrypt them, and your company must never possess the decryption key. Which approach meets these requirements with minimal changes to the current workflow?
Encrypt each report on the client with the auditor's RSA public key before uploading to S3; the auditor decrypts the files with the corresponding private key.
Create an asymmetric CMK in AWS KMS, export its private key to the auditor, and use the CMK's public key for client-side encryption.
Enable default encryption on the S3 bucket using SSE-S3 so Amazon S3 encrypts all objects before transfer.
Configure S3 server-side encryption with a customer-managed symmetric CMK in AWS KMS and share the CMK with the auditor.
Encrypting the files on the client with the auditor's RSA public key means the private key needed for decryption is never shared or stored in AWS. Only the auditor, who controls the matching private key, can decrypt the data, satisfying the requirement that your organization cannot access the plaintext or the decryption key.
Using S3 server-side encryption with a customer-managed CMK would still allow your organization (and AWS) to decrypt the data, violating the requirement. Enabling default SSE-S3 similarly lets AWS manage and use the keys. Creating an asymmetric CMK in AWS KMS and trying to export its private key is impossible because AWS never allows the private portion of a KMS asymmetric key to leave the service. Therefore, client-side encryption with the auditor's public key is the only compliant option that keeps the existing AWS CLI workflow largely unchanged.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is RSA public and private key encryption?
Open an interactive chat with Bash
Why can't AWS KMS private keys be exported?
Open an interactive chat with Bash
What is the difference between server-side encryption and client-side encryption in S3?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .