ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your team is building a cross-account AWS solution that stores transcoded media files in Amazon S3. Each object is automatically tagged with a data classification value of Public, Confidential, or Secret. Corporate security policy requires that the classification label alone must dictate which IAM principals can read or overwrite the files, and individual bucket owners must be unable to loosen these restrictions. Which access-control approach best satisfies this requirement?
Rely on discretionary access control so each bucket owner can manage access control lists (ACLs) for their objects
Use attribute-based access control (ABAC) policies that evaluate the object's classification tag during each access request
Implement a mandatory access control model that uses the object's classification label and the subject's clearance, enforced centrally
Apply role-based access control by mapping IAM roles to S3 bucket policies for each classification level
Mandatory access control (MAC) relies on centrally managed security labels assigned to both subjects and objects. Access decisions are made by the system by comparing the subject's clearance with the object's classification; resource owners cannot override the policy, which aligns exactly with the requirement that bucket owners be unable to relax controls.
Discretionary access control allows the resource owner to grant or revoke permissions and therefore violates the policy. Role-based access control ties permissions to job roles but does not inherently prevent owners from changing ACLs. Attribute-based access control can use tags for decisions but, unlike MAC, it is typically implemented as a discretionary or policy-based scheme where permissions may still be modified by administrators of individual resources. Only a MAC model with security labels enforces the mandatory, non-bypassable, centrally controlled restrictions described.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is mandatory access control (MAC)?
Open an interactive chat with Bash
How does MAC differ from discretionary access control (DAC)?
Open an interactive chat with Bash
Why is MAC suitable for environments with strict security requirements?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .