A user has created a mobile application that makes calls to DynamoDB to fetch certain data. The application uses the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below-mentioned user`s authentication is true concerning the best practice for security in this scenario?

Answer options:

A.The user should create a separate IAM user for each mobile application and provide DynamoDB access with it.
B.The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2.
C.The application should use an IAM role with web identity federation, which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook.
D.Create an IAM Role with DynamoDB access and attach it with the mobile application.

Answer – C
Option A is incorrect because creating a separate user for each application user is not a feasible, secure, and recommended solution.
Option B is incorrect because the mobile users may not be AWS users. You need to give access to the mobile application via a federated identity provider.
Option C is CORRECT because it creates a role for Federated Users, enabling the users to sign in to the app using their Amazon, Facebook, or Google identity and authorize them to access DynamoDB seamlessly.
Option D is incorrect because creating an IAM Role is not sufficient. You need to authenticate the application users via a web identity provider, get the temporary credentials via a Security Token Service (STS) and then access DynamoDB.More information on Web Identity Federation:
With Web Identity Federation, you don`t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account.
For more information on Web Identity Federation, please visit the link.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html