ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your team is designing an Amazon RDS PostgreSQL database to store protected health information (PHI). Compliance rules mandate that data must remain confidential on disk and that any unauthorized modification must be detectable when records are read. The solution should minimize performance overhead at scale. Which approach best meets both confidentiality and integrity requirements?
Rely on security groups and IAM policies to restrict access; store records in plaintext to avoid performance impact.
Encrypt each record with an RSA public key and sign it with the corresponding private key before storage.
Encrypt each record with AES-256 and store an HMAC of the ciphertext generated with a secret key kept in AWS KMS.
Store only a SHA-1 hash of each record in the database to detect tampering and avoid the need for encryption.
Symmetric algorithms such as AES-256 efficiently provide data confidentiality at rest because encryption and decryption use the same key and incur far lower processing overhead than public-key (asymmetric) ciphers like RSA. To detect any change to stored data, a keyed hash (HMAC) can be calculated when the record is written and verified when it is read; HMAC supplies integrity and authentication as long as the secret key is protected (for example in AWS KMS). Encrypting only with AES covers confidentiality but not integrity, while storing hashes without encryption leaves data exposed. Relying solely on network and IAM controls does not satisfy encryption requirements. Therefore, combining AES-256 encryption with an HMAC computed using a KMS-protected key is the most appropriate choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-256 encryption?
Open an interactive chat with Bash
What is HMAC and how does it ensure integrity?
Open an interactive chat with Bash
What is AWS KMS and why is it important in this solution?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .