This solution represents a standard, serverless, and scalable architecture for this use case, minimizing operational overhead. Amazon Cognito is the appropriate managed service for handling user sign-up, sign-in, and identity management for tens of thousands of application users. Integrating Cognito with an API Gateway authorizer provides a secure and managed way to control API access. Storing large binary objects like photos (up to 5 MB) in Amazon S3 is the correct approach, as DynamoDB has a 400 KB item size limit. Storing the S3 object key (metadata) in DynamoDB allows for efficient querying and retrieval of photo details.

A. Storing photos directly in DynamoDB is not feasible. DynamoDB has a maximum item size of 400 KB, while the photos can be up to 5 MB.

C. Creating an IAM user for each application user is an anti-pattern. IAM is for managing access to AWS resources, not for application end-users. This approach has high operational overhead and does not scale effectively.

D. Building a custom user management system in DynamoDB with a Lambda authorizer creates significant development and operational overhead for features like password hashing, session management, and password resets, which Amazon Cognito provides as a managed service.

1. Amazon Cognito for User Management: The AWS Documentation for Amazon Cognito states

"Amazon Cognito provides authentication

authorization

and user management for your web and mobile apps. Your users can sign in directly with a user name and password

or through a third party such as Facebook

Amazon

Google or Apple." This confirms Cognito is the correct choice for managing application users with low overhead.

Source: AWS Documentation

Amazon Cognito Developer Guide

"What Is Amazon Cognito?".

2. Amazon S3 for Object Storage: The AWS Documentation highlights S3's suitability for user-generated content. Storing large objects in S3 and metadata in DynamoDB is a common and recommended pattern.

Source: AWS Documentation

Amazon S3 User Guide

"Use cases for Amazon S3".

3. Amazon DynamoDB Item Size Limit: The official DynamoDB documentation explicitly states the service limit for item size

making option A technically impossible. "The maximum item size in DynamoDB is 400 KB

which includes both attribute name binary length (UTF-8 length) and attribute value lengths (again

binary length)."

Source: AWS Documentation

Amazon DynamoDB Developer Guide

"Service

account

and table quotas in Amazon DynamoDB".

4. IAM Users vs. Application Users: The AWS Identity and Access Management (IAM) best practices advise against using IAM users for application-level authentication. "Don't use IAM users for application access. Instead

your application should assume a role... For mobile or consumer-facing applications

we recommend that you use Amazon Cognito."

Source: AWS Documentation

IAM User Guide

"Security best practices in IAM".