Amazon SCS-C03 Exam - Topic 2 Question 1 Discussion

Actual exam question for Amazon's SCS-C03 exam

Question #: 1
Topic #: 2

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

Which solution meets these requirements?

ACreate an Amazon S3 bucket with S3 Object Lock enabled. Create an AWS CloudTrail trail with log file validation enabled for KMS events. Store logs in the bucket and grant auditors access.

BLog application events to Amazon CloudWatch Logs and export them.

CCapture KMS API calls using EventBridge and store them in DynamoDB.

DTrack KMS usage with CloudWatch metrics and dashboards.

Show Suggested Answer

Suggested Answer: A

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security -- Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

by Matilda at Jan 28, 2026, 03:17 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Marylou

5 days ago

I think option A sounds familiar from our practice questions, especially with CloudTrail logs for KMS events.

upvoted 0 times

...

Tammara

10 days ago

I remember that S3 Object Lock is important for immutability, but I'm not sure if it covers all compliance needs.

upvoted 0 times

...

Belen

15 days ago

This is a tricky one, but I think option A is the way to go. S3 Object Lock and CloudTrail seem like the best combo to create that immutable audit trail of KMS usage. I'll make sure to review the details, but that's my initial take.

upvoted 0 times

...

Haydee

20 days ago

I'm leaning towards option C. Capturing the KMS API calls in EventBridge and storing them in DynamoDB seems like a straightforward way to meet the audit trail requirement. Plus, DynamoDB should provide the immutability needed.

upvoted 0 times

...

Anglea

25 days ago

Okay, I've got a strategy here. I'll focus on the key requirements - immutable evidence and auditing KMS usage. Option A looks like it covers those bases with S3 Object Lock and CloudTrail. I'll dig into the specifics of those services to make sure it meets the needs.

upvoted 0 times

...

Rosamond

1 month ago

Hmm, this seems like a tricky one. I think option A might be the way to go - using S3 Object Lock and CloudTrail to create an immutable audit trail. But I'll need to double-check the details on those services.

upvoted 0 times

...

Berry

1 month ago

I'm not sure how to approach this question. The requirements around immutable evidence and compliance seem complex, and I'm not familiar with all the AWS services mentioned.

upvoted 0 times

...