Broken Authentication is correct because it specifically describes weak safeguards for user passwords session tokens and other authentication secrets in cloud applications.

Broken Authentication covers flaws such as weak or missing password policies insecure session management predictable or exposed session tokens and poor secrets handling. In cloud applications these weaknesses let attackers hijack accounts impersonate users or reuse leaked tokens to access resources, so the OWASP category points to failures in authentication design and implementation.

Insufficient logging and monitoring is incorrect because that category is about the detection and response to attacks and system events and not about protecting passwords tokens or authentication secrets.

Cloud IAM misconfiguration is incorrect because this phrase refers to cloud provider or policy configuration issues and not to the specific OWASP Top Ten category that describes application level authentication failures.

Sensitive Data Exposure is incorrect because that category focuses on improper protection of stored or transmitted sensitive information and while it can include leaked credentials the distinct problem of authentication and session management is classified under Broken Authentication.

Full AWS Practitioner Certification Question