Answer: C
Options A is incorrect because you can use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account, but you cannot manage users.
Option B is incorrect because you use an IAM identity provider when you want to establish trust between a SAML-compatible IdP such as Shibboleth or Active Directory Federation Services and AWS so that users in your organization can access AWS resources. This does not assist in managing user profiles.
Option C is CORRECT because a user pool is a user directory in Amazon Cognito. The users can sign in to your web or mobile app through Amazon Cognito with a user pool. Users can also sign in through social identity providers like Facebook or Amazon and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
Option D is incorrect because managing thousands of users and their permissions would be a management and maintenance overhead.
The AWS Documentation mentions the following about User pools:
Sign-up and sign-in services.
A built-in, customizable web UI to sign in users.
Social sign-in with Facebook, Google, and log in with Amazon, as well as sign-in with SAML identity providers from your user pool.
User directory management and user profiles.
Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
Customized workflows and user migration through AWS Lambda triggers.
For more information on Cognito User pools, kindly refer to the following URL:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html