A developer is designing a mobile game application relying on some AWS serverless services. To access these services, requests must be signed with an AWS access key. Among recommended approaches, which one is the most appropriate in this sort of scenario?

Answer options:

A.Embed or distribute long-term AWS credentials that a user downloads to an encrypted store.
B.Use Amazon Cognito which acts as an identity broker to implement web identity federation.
C.Write code that interacts with a web identity provider and trades the authentication token for AWS temporary security credentials.
D.Use federation and AWS IAM to enable single sign-on (SSO) to your AWS root accounts.

Correct Answer: B
It is recommended for best results, using Amazon Cognito as your identity broker for almost all web identity federation scenarios.
Incorrect Answers:
Option A is incorrect because it is strongly recommended that you do not embed or distribute long-term AWS credentials with apps that users download to a device, even in an encrypted store. Using a web identity provider helps you keep your AWS account secure. Because you don`t have to embed and distribute long-term security credentials with your application.
Option C is incorrect because the best approach here is using Amazon Cognito. If you don`t use Amazon Cognito, you must write code that interacts with a web identity provider, such as Facebook, and then calls the AssumeRoleWithWebIdentity API to trade the authentication token you get from those web identity providers for AWS temporary security credentials.
Option D is incorrect because it does not make sense, and it is referring to AWS root accounts.
References:
https://amzn.to/2TAAGDd
https://amzn.to/3d0zQr7