Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C03 Exam - Topic 2 Question 1 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 1
Topic #: 2
[All SCS-C03 Questions]

A company needs to build a code-signing solution using an AWS KMS asymmetric key and must store immutable evidence of key creation and usage for compliance and audit purposes.

Which solution meets these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security -- Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock


by Matilda at Jan 28, 2026, 03:17 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ashlyn
4 days ago
Haha, option B? Seriously? CloudWatch Logs? That's like storing your important documents in a cardboard box.
upvoted 0 times
...
Miss
10 days ago
A is the clear winner here. Gotta love that S3 Object Lock feature for compliance.
upvoted 0 times
...
Glendora
15 days ago
I'd have to go with A. Auditors will appreciate the secure and tamper-proof storage of the KMS event logs.
upvoted 0 times
...
Lillian
20 days ago
Definitely A. Storing the logs in an S3 bucket with Object Lock is the best way to ensure compliance.
upvoted 0 times
...
Stephania
25 days ago
Option A is the way to go. S3 Object Lock and CloudTrail logs will provide the immutable evidence we need.
upvoted 0 times
...
Serita
1 month ago
CloudWatch metrics seem useful, but I don't recall if they provide the level of detail needed for compliance audits.
upvoted 0 times
...
Marta
1 month ago
I'm a bit confused about whether DynamoDB is the best choice for storing KMS API calls. I feel like there might be better options.
upvoted 0 times
...
Marylou
2 months ago
I think option A sounds familiar from our practice questions, especially with CloudTrail logs for KMS events.
upvoted 0 times
...
Tammara
2 months ago
I remember that S3 Object Lock is important for immutability, but I'm not sure if it covers all compliance needs.
upvoted 0 times
...
Belen
2 months ago
This is a tricky one, but I think option A is the way to go. S3 Object Lock and CloudTrail seem like the best combo to create that immutable audit trail of KMS usage. I'll make sure to review the details, but that's my initial take.
upvoted 0 times
...
Haydee
2 months ago
I'm leaning towards option C. Capturing the KMS API calls in EventBridge and storing them in DynamoDB seems like a straightforward way to meet the audit trail requirement. Plus, DynamoDB should provide the immutability needed.
upvoted 0 times
...
Anglea
3 months ago
Okay, I've got a strategy here. I'll focus on the key requirements - immutable evidence and auditing KMS usage. Option A looks like it covers those bases with S3 Object Lock and CloudTrail. I'll dig into the specifics of those services to make sure it meets the needs.
upvoted 0 times
...
Rosamond
3 months ago
Hmm, this seems like a tricky one. I think option A might be the way to go - using S3 Object Lock and CloudTrail to create an immutable audit trail. But I'll need to double-check the details on those services.
upvoted 0 times
...
Berry
3 months ago
I'm not sure how to approach this question. The requirements around immutable evidence and compliance seem complex, and I'm not familiar with all the AWS services mentioned.
upvoted 0 times
...

Save Cancel