A company wants to grant temporary access to AWS resources for a mobile application's users. Which AWS service should they use?

Correct answer: Amazon Cognito

Option A is correct because Amazon Cognito provides user pools for authentication and identity pools for granting temporary, scoped AWS credentials to authenticated users or guests, making it the purpose-built service for giving mobile and web application users temporary access to AWS resources. Option B is wrong because IAM Users represent long-term identities with persistent credentials and are not designed to manage millions of end-user app identities or issue temporary session tokens to those users at scale. Option C is wrong because AWS Organizations is a governance service for managing multiple AWS accounts under a hierarchy; it does not handle end-user authentication or temporary credential issuance for application users. Option D is wrong because AWS Directory Service integrates with Microsoft Active Directory for enterprise identity management of employees and workloads, not for vending temporary credentials to mobile application end users.