Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C03 Exam - Topic 2 Question 1 Discussion

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.Which solution meets these requirements?
A) Create an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.
B) Log application events to Amazon CloudWatch Logs and export them.
C) Capture KMS API calls using EventBridge and store them in DynamoDB.
D) Track KMS usage with CloudWatch metrics and dashboards.

Amazon SCS-C03 Exam - Topic 2 Question 1 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 1
Topic #: 2
[All SCS-C03 Questions]

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

Which solution meets these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security -- Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock


by Matilda at Jan 28, 2026, 03:17 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Annamae
1 month ago
I feel like there are better options than just logging in CloudWatch.
upvoted 0 times
...
Destiny
1 month ago
Wait, can you really use CloudTrail for KMS events?
upvoted 0 times
...
Marge
1 month ago
Not so sure about A, what if S3 gets compromised?
upvoted 0 times
...
Cheryl
2 months ago
I agree, A is the best choice for compliance!
upvoted 0 times
...
Salina
2 months ago
Option A seems solid with S3 Object Lock for immutability.
upvoted 0 times
...
Ashlyn
2 months ago
Haha, option B? Seriously? CloudWatch Logs? That's like storing your important documents in a cardboard box.
upvoted 0 times
...
Miss
2 months ago
A is the clear winner here. Gotta love that S3 Object Lock feature for compliance.
upvoted 0 times
...
Glendora
2 months ago
I'd have to go with A. Auditors will appreciate the secure and tamper-proof storage of the KMS event logs.
upvoted 0 times
...
Lillian
3 months ago
Definitely A. Storing the logs in an S3 bucket with Object Lock is the best way to ensure compliance.
upvoted 0 times
...
Stephania
3 months ago
Option A is the way to go. S3 Object Lock and CloudTrail logs will provide the immutable evidence we need.
upvoted 0 times
...
Serita
3 months ago
CloudWatch metrics seem useful, but I don't recall if they provide the level of detail needed for compliance audits.
upvoted 0 times
...
Marta
3 months ago
I'm a bit confused about whether DynamoDB is the best choice for storing KMS API calls. I feel like there might be better options.
upvoted 0 times
...
Marylou
4 months ago
I think option A sounds familiar from our practice questions, especially with CloudTrail logs for KMS events.
upvoted 0 times
...
Tammara
4 months ago
I remember that S3 Object Lock is important for immutability, but I'm not sure if it covers all compliance needs.
upvoted 0 times
...
Belen
4 months ago
This is a tricky one, but I think option A is the way to go. S3 Object Lock and CloudTrail seem like the best combo to create that immutable audit trail of KMS usage. I'll make sure to review the details, but that's my initial take.
upvoted 0 times
...
Haydee
4 months ago
I'm leaning towards option C. Capturing the KMS API calls in EventBridge and storing them in DynamoDB seems like a straightforward way to meet the audit trail requirement. Plus, DynamoDB should provide the immutability needed.
upvoted 0 times
...
Anglea
4 months ago
Okay, I've got a strategy here. I'll focus on the key requirements - immutable evidence and auditing KMS usage. Option A looks like it covers those bases with S3 Object Lock and CloudTrail. I'll dig into the specifics of those services to make sure it meets the needs.
upvoted 0 times
...
Rosamond
5 months ago
Hmm, this seems like a tricky one. I think option A might be the way to go - using S3 Object Lock and CloudTrail to create an immutable audit trail. But I'll need to double-check the details on those services.
upvoted 0 times
...
Berry
5 months ago
I'm not sure how to approach this question. The requirements around immutable evidence and compliance seem complex, and I'm not familiar with all the AWS services mentioned.
upvoted 0 times
...

Save Cancel