A developer is building a mobile application that must let end users sign up, sign in with email and password, and reset forgotten passwords, all managed by AWS without running a custom user database. After sign-in the application calls a backend REST API but does not yet need to call AWS service APIs directly. Which Amazon Cognito component should the developer use for this sign-up and sign-in requirement?
- AAn Amazon Cognito identity pool, because it provides the hosted sign-up and sign-in screens and stores each user profile and password for the mobile application.
- BAn AWS Identity and Access Management user for each application user, because IAM manages credentials and password resets centrally for any kind of human sign-in.
- CAn Amazon Cognito identity pool federated to social providers, because it authenticates the email and password and then returns session tokens to the application.
- DAn Amazon Cognito user pool, because it is a managed user directory that handles sign-up, sign-in, and password reset and issues tokens after authentication. Correct
Why A is wrong: An identity pool exchanges an existing identity for AWS credentials and does not store user profiles or passwords, so it cannot provide the sign-up and sign-in directory the application needs.
Why B is wrong: IAM users are meant for workforce and service access, not large fluctuating end-user populations, and AWS advises against creating an IAM user per application user for sign-in.
Why C is wrong: An identity pool federates already authenticated identities and never validates an email and password itself, so it cannot perform the primary sign-in that the application requires.
Why D is correct: A Cognito user pool is a fully managed directory that performs sign-up, sign-in, and password recovery and returns ID and access tokens, which matches the stated requirement exactly.