Dynamodb can be a good option for this (as well as Secrets Manager, SSM, or s3 file). For example, look at https://github.com/fugue/credstash credstash. It uses KMS and dynamo to store secrets. There is nothing in the question that says using KMS is out of consideration.
Therefore I submit that "The only one that works and leads us away from hard-coding into more secure multi-layer control is storing on S3 and being dynamically read" is incorrect, dynamodb is also an option that moves you towards a more secure solution as well.
You’ve fallen into the Practitioner’s Curse trap and this is a trick that will trip you up on the exam especially if you’re experienced. You have to evaluate the question on what is written and nothing more…no additional Github projects or no additional services. The DynamoDB answer says "Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance." Is says nothing about encrypting them or using KMS.
If you use the "nothing says