The correct option is Amazon Cognito identity ID. When your app exchanges the social provider token with Amazon Cognito Identity Pools, Cognito creates or looks up a unique identity and returns an Amazon Cognito identity ID that the client uses to obtain temporary, limited privilege AWS credentials.

Cognito establishes the identity and the SDK then uses that identity identifier together with the provider token to request credentials. Cognito maps the identity to an IAM role and then invokes AWS Security Token Service to issue short lived credentials that are scoped by that role.

Cognito key pair is incorrect because Cognito does not return cryptographic key pairs to represent users or to fetch AWS credentials.

AWS Security Token Service is incorrect as the direct answer because STS is the backend service that issues the temporary credentials. The client does not receive STS itself after the identity provider exchange and instead receives a Cognito identity identifier first.

Amazon Cognito SDK is incorrect because the SDK is a client library used to call Cognito APIs and it is not the identifier or token returned by Cognito after authentication.

Full AWS Practitioner Certification Question